feat: Support parameter-level filtering for MCP tool permissions

[bhosmer-ant]

Summary

Users want to allow MCP tools with specific parameter constraints. For example:

• Allow mcp__slack__send_message but only to specific channels
• Allow mcp__github__create_issue but only in certain repos

Currently, MCP rules explicitly reject parentheses patterns with the error:

MCP rules do not support patterns in parentheses

Context

• Original request: https://anthropic.slack.com/archives/C07VBSHV7EV/p1768340221057509
• Earlier discussion: https://anthropic.slack.com/archives/C07VBSHV7EV/p1767987141121029

Why this is safer for MCP than Bash

MCP tool inputs are structured JSON, not arbitrary shell commands. There's no ls && rm -rf ~ bypass concern since params are discrete key-value pairs. The shell injection risks that apply to Bash(ls:*) don't apply to MCP param matching.

Potential syntax options

1. Simple wildcards (consistent with Bash):

   mcp__slack__send_message(channelId: "C09PZGUHU1M")
   mcp__slack__send_message(channelId: "C09*")
   

2. CEL expressions (as proposed in the Server-Side Tool Permissions API):

   mcp__slack__send_message(expr: 'input.channelId in ["C123", "C456"]')
   

3. JSON query syntax:

   mcp__slack__send_message({"channelId": {"$in": ["C123", "C456"]}})
   

Implementation notes

• The Bash permission system already has matchWildcardPattern() and bashPermissionRule() that could be adapted
• Main changes needed in permissionValidation.ts (remove block) and MCP permission checking
• Need to decide on syntax and handle nested params, type coercion

Workarounds (current)

• Use a PreToolUse hook for custom validation
• Create a wrapper MCP server that enforces constraints
• Manually approve each call