fix: add auto-approval support for MCP resources (#5300)

Author: MuriloFP

src/core/webview/webviewMessageHandler.ts

@@ -881,6 +881,23 @@ export const webviewMessageHandler = async (
 			}
 			break
 		}
+		case "toggleResourceAlwaysAllow": {
+			try {
+				await provider
+					.getMcpHub()
+					?.toggleResourceAlwaysAllow(
+						message.serverName!,
+						message.source as "global" | "project",
+						message.resourceUri!,
+						Boolean(message.alwaysAllow),
+					)
+			} catch (error) {
+				provider.log(
+					`Failed to toggle auto-approve for resource ${message.resourceUri}: ${JSON.stringify(error, Object.getOwnPropertyNames(error), 2)}`,
+				)
+			}
+			break
+		}
 		case "toggleToolEnabledForPrompt": {
 			try {
 				await provider

src/services/mcp/McpHub.ts

@@ -885,7 +885,44 @@ export class McpHub {
 				return []
 			}
 			const response = await connection.client.request({ method: "resources/list" }, ListResourcesResultSchema)
-			return response?.resources || []
+
+			// Determine the actual source of the server
+			const actualSource = connection.server.source || "global"
+			let configPath: string
+			let alwaysAllowResourcesConfig: string[] = []
+
+			// Read from the appropriate config file based on the actual source
+			try {
+				let serverConfigData: Record<string, any> = {}
+				if (actualSource === "project") {
+					// Get project MCP config path
+					const projectMcpPath = await this.getProjectMcpPath()
+					if (projectMcpPath) {
+						configPath = projectMcpPath
+						const content = await fs.readFile(configPath, "utf-8")
+						serverConfigData = JSON.parse(content)
+					}
+				} else {
+					// Get global MCP settings path
+					configPath = await this.getMcpSettingsFilePath()
+					const content = await fs.readFile(configPath, "utf-8")
+					serverConfigData = JSON.parse(content)
+				}
+				if (serverConfigData) {
+					alwaysAllowResourcesConfig = serverConfigData.mcpServers?.[serverName]?.alwaysAllowResources || []
+				}
+			} catch (error) {
+				console.error(`Failed to read resource configuration for ${serverName}:`, error)
+				// Continue with empty configs
+			}
+
+			// Mark resources as always allowed based on settings
+			const resources = (response?.resources || []).map((resource) => ({
+				...resource,
+				alwaysAllow: alwaysAllowResourcesConfig.includes(resource.uri),
+			}))
+
+			return resources
 		} catch (error) {
 			// console.error(`Failed to fetch resources for ${serverName}:`, error)
 			return []
@@ -905,7 +942,44 @@ export class McpHub {
 				{ method: "resources/templates/list" },
 				ListResourceTemplatesResultSchema,
 			)
-			return response?.resourceTemplates || []
+
+			// Determine the actual source of the server
+			const actualSource = connection.server.source || "global"
+			let configPath: string
+			let alwaysAllowResourcesConfig: string[] = []
+
+			// Read from the appropriate config file based on the actual source
+			try {
+				let serverConfigData: Record<string, any> = {}
+				if (actualSource === "project") {
+					// Get project MCP config path
+					const projectMcpPath = await this.getProjectMcpPath()
+					if (projectMcpPath) {
+						configPath = projectMcpPath
+						const content = await fs.readFile(configPath, "utf-8")
+						serverConfigData = JSON.parse(content)
+					}
+				} else {
+					// Get global MCP settings path
+					configPath = await this.getMcpSettingsFilePath()
+					const content = await fs.readFile(configPath, "utf-8")
+					serverConfigData = JSON.parse(content)
+				}
+				if (serverConfigData) {
+					alwaysAllowResourcesConfig = serverConfigData.mcpServers?.[serverName]?.alwaysAllowResources || []
+				}
+			} catch (error) {
+				console.error(`Failed to read resource template configuration for ${serverName}:`, error)
+				// Continue with empty configs
+			}
+
+			// Mark resource templates as always allowed based on settings
+			const resourceTemplates = (response?.resourceTemplates || []).map((template) => ({
+				...template,
+				alwaysAllow: alwaysAllowResourcesConfig.includes(template.uriTemplate),
+			}))
+
+			return resourceTemplates
 		} catch (error) {
 			// console.error(`Failed to fetch resource templates for ${serverName}:`, error)
 			return []
@@ -1609,6 +1683,104 @@ export class McpHub {
 		}
 	}
 
+	async toggleResourceAlwaysAllow(
+		serverName: string,
+		source: "global" | "project",
+		resourceUri: string,
+		shouldAllow: boolean,
+	): Promise<void> {
+		try {
+			await this.updateServerResourceList(serverName, source, resourceUri, "alwaysAllowResources", shouldAllow)
+		} catch (error) {
+			this.showErrorMessage(
+				`Failed to toggle always allow for resource "${resourceUri}" on server "${serverName}" with source "${source}"`,
+				error,
+			)
+			throw error
+		}
+	}
+
+	/**
+	 * Helper method to update the resource always allow list
+	 * in the appropriate settings file.
+	 * @param serverName The name of the server to update
+	 * @param source Whether to update the global or project config
+	 * @param resourceUri The URI of the resource to add or remove
+	 * @param listName The name of the list to modify ("alwaysAllowResources")
+	 * @param addResource Whether to add (true) or remove (false) the resource from the list
+	 */
+	private async updateServerResourceList(
+		serverName: string,
+		source: "global" | "project",
+		resourceUri: string,
+		listName: "alwaysAllowResources",
+		addResource: boolean,
+	): Promise<void> {
+		// Find the connection with matching name and source
+		const connection = this.findConnection(serverName, source)
+
+		if (!connection) {
+			throw new Error(`Server ${serverName} with source ${source} not found`)
+		}
+
+		// Determine the correct config path based on the source
+		let configPath: string
+		if (source === "project") {
+			// Get project MCP config path
+			const projectMcpPath = await this.getProjectMcpPath()
+			if (!projectMcpPath) {
+				throw new Error("Project MCP configuration file not found")
+			}
+			configPath = projectMcpPath
+		} else {
+			// Get global MCP settings path
+			configPath = await this.getMcpSettingsFilePath()
+		}
+
+		// Normalize path for cross-platform compatibility
+		// Use a consistent path format for both reading and writing
+		const normalizedPath = process.platform === "win32" ? configPath.replace(/\\/g, "/") : configPath
+
+		// Read the appropriate config file
+		const content = await fs.readFile(normalizedPath, "utf-8")
+		const config = JSON.parse(content)
+
+		if (!config.mcpServers) {
+			config.mcpServers = {}
+		}
+
+		if (!config.mcpServers[serverName]) {
+			config.mcpServers[serverName] = {
+				type: "stdio",
+				command: "node",
+				args: [], // Default to an empty array; can be set later if needed
+			}
+		}
+
+		if (!config.mcpServers[serverName][listName]) {
+			config.mcpServers[serverName][listName] = []
+		}
+
+		const targetList = config.mcpServers[serverName][listName]
+		const resourceIndex = targetList.indexOf(resourceUri)
+
+		if (addResource && resourceIndex === -1) {
+			targetList.push(resourceUri)
+		} else if (!addResource && resourceIndex !== -1) {
+			targetList.splice(resourceIndex, 1)
+		}
+
+		// Write config file first, then update UI only if successful
+		await fs.writeFile(normalizedPath, JSON.stringify(config, null, 2))
+
+		// Only update UI after successful config file write
+		if (connection) {
+			connection.server.resources = await this.fetchResourcesList(serverName, source)
+			connection.server.resourceTemplates = await this.fetchResourceTemplatesList(serverName, source)
+			await this.notifyWebviewOfServerChanges()
+		}
+	}
+
 	async dispose(): Promise<void> {
 		// Prevent multiple disposals
 		if (this.isDisposed) {

src/shared/WebviewMessage.ts

@@ -102,6 +102,7 @@ export interface WebviewMessage {
 		| "restartMcpServer"
 		| "refreshAllMcpServers"
 		| "toggleToolAlwaysAllow"
+		| "toggleResourceAlwaysAllow"
 		| "toggleToolEnabledForPrompt"
 		| "toggleMcpServer"
 		| "updateMcpTimeout"
@@ -208,6 +209,7 @@ export interface WebviewMessage {
 	audioType?: AudioType
 	serverName?: string
 	toolName?: string
+	resourceUri?: string
 	alwaysAllow?: boolean
 	isEnabled?: boolean
 	mode?: Mode

src/shared/mcp.ts

@@ -33,13 +33,15 @@ export type McpResource = {
 	name: string
 	mimeType?: string
 	description?: string
+	alwaysAllow?: boolean
 }
 
 export type McpResourceTemplate = {
 	uriTemplate: string
 	name: string
 	description?: string
 	mimeType?: string
+	alwaysAllow?: boolean
 }
 
 export type McpResourceResponse = {

webview-ui/src/components/chat/ChatView.tsx

@@ -13,7 +13,7 @@ import { useDebounceEffect } from "@src/utils/useDebounceEffect"
 import type { ClineAsk, ClineMessage } from "@roo-code/types"
 
 import { ClineSayBrowserAction, ClineSayTool, ExtensionMessage } from "@roo/ExtensionMessage"
-import { McpServer, McpTool } from "@roo/mcp"
+import { McpServer, McpTool, McpResource } from "@roo/mcp"
 import { findLast } from "@roo/array"
 import { FollowUpData, SuggestionItem } from "@roo-code/types"
 import { combineApiRequests } from "@roo/combineApiRequests"
@@ -895,27 +895,6 @@ const ChatViewComponent: React.ForwardRefRenderFunction<ChatViewRef, ChatViewPro
 		return false
 	}, [])
 
-	const isMcpToolAlwaysAllowed = useCallback(
-		(message: ClineMessage | undefined) => {
-			if (message?.type === "ask" && message.ask === "use_mcp_server") {
-				if (!message.text) {
-					return true
-				}
-
-				const mcpServerUse = JSON.parse(message.text) as { type: string; serverName: string; toolName: string }
-
-				if (mcpServerUse.type === "use_mcp_tool") {
-					const server = mcpServers?.find((s: McpServer) => s.name === mcpServerUse.serverName)
-					const tool = server?.tools?.find((t: McpTool) => t.name === mcpServerUse.toolName)
-					return tool?.alwaysAllow || false
-				}
-			}
-
-			return false
-		},
-		[mcpServers],
-	)
-
 	// Get the command decision using unified validation logic
 	const getCommandDecisionForMessage = useCallback(
 		(message: ClineMessage | undefined): CommandDecision => {
@@ -974,7 +953,57 @@ const ChatViewComponent: React.ForwardRefRenderFunction<ChatViewRef, ChatViewPro
 			}
 
 			if (message.ask === "use_mcp_server") {
-				return alwaysAllowMcp && isMcpToolAlwaysAllowed(message)
+				if (!alwaysAllowMcp) {
+					return false
+				}
+
+				// If no text, allow it
+				if (!message.text) {
+					return true
+				}
+
+				// Parse the MCP server use
+				const mcpServerUse = JSON.parse(message.text) as {
+					type: string
+					serverName: string
+					toolName?: string
+					uri?: string
+				}
+
+				if (mcpServerUse.type === "use_mcp_tool") {
+					const server = mcpServers?.find((s: McpServer) => s.name === mcpServerUse.serverName)
+					const tool = server?.tools?.find((t: McpTool) => t.name === mcpServerUse.toolName)
+					return tool?.alwaysAllow || false
+				}
+
+				if (mcpServerUse.type === "access_mcp_resource") {
+					const server = mcpServers?.find((s: McpServer) => s.name === mcpServerUse.serverName)
+					const resource = server?.resources?.find((r: McpResource) => r.uri === mcpServerUse.uri)
+
+					if (resource?.alwaysAllow) {
+						return true
+					}
+
+					// Check resource templates
+					if (server?.resourceTemplates && mcpServerUse.uri) {
+						for (const template of server.resourceTemplates) {
+							// Convert template pattern to regex with proper escaping
+							const pattern = template.uriTemplate
+								.replace(/[.*+?^${}()|[\]\\]/g, "\\$&") // Escape special regex chars
+								.replace(/\\\{[^}]+\\\}/g, "[^/]+") // Match path segments, not everything
+							const regex = new RegExp(`^${pattern}$`)
+							if (regex.test(mcpServerUse.uri) && template.alwaysAllow) {
+								return true
+							}
+						}
+					}
+
+					// Resource not found or not allowed
+					return false
+				}
+
+				// Unknown type, don't auto-approve
+				return false
 			}
 
 			if (message.ask === "command") {
@@ -1049,7 +1078,7 @@ const ChatViewComponent: React.ForwardRefRenderFunction<ChatViewRef, ChatViewPro
 			alwaysAllowExecute,
 			isAllowedCommand,
 			alwaysAllowMcp,
-			isMcpToolAlwaysAllowed,
+			mcpServers,
 			alwaysAllowModeSwitch,
 			alwaysAllowFollowupQuestions,
 			alwaysAllowSubtasks,
@@ -1522,6 +1551,7 @@ const ChatViewComponent: React.ForwardRefRenderFunction<ChatViewRef, ChatViewPro
 		clineAsk,
 		enableButtons,
 		handlePrimaryButtonClick,
+		autoApprovalEnabled,
 		alwaysAllowBrowser,
 		alwaysAllowReadOnly,
 		alwaysAllowReadOnlyOutsideWorkspace,
@@ -1530,10 +1560,10 @@ const ChatViewComponent: React.ForwardRefRenderFunction<ChatViewRef, ChatViewPro
 		alwaysAllowExecute,
 		followupAutoApproveTimeoutMs,
 		alwaysAllowMcp,
+		mcpServers,
 		messages,
 		allowedCommands,
 		deniedCommands,
-		mcpServers,
 		isAutoApproved,
 		lastMessage,
 		writeDelayMs,