ummaya 0.2.4 → 0.2.6

package/tui/src/tools/FileWriteTool/FileWriteTool.ts

@@ -1,47 +1,12 @@
-import { dirname, sep } from 'path'
-import { logEvent } from 'src/services/analytics/index.js'
 import { z } from 'zod/v4'
-import { getFeatureValue_CACHED_MAY_BE_STALE } from '../../services/analytics/growthbook.js'
-import { diagnosticTracker } from '../../services/diagnosticTracking.js'
-import { clearDeliveredDiagnosticsForFile } from '../../services/lsp/LSPDiagnosticRegistry.js'
-import { getLspServerManager } from '../../services/lsp/manager.js'
-import { notifyVscodeFileUpdated } from '../../services/mcp/vscodeSdkMcp.js'
-import { checkTeamMemSecrets } from '../../services/teamMemorySync/teamMemSecretGuard.js'
-import {
-  activateConditionalSkillsForPaths,
-  addSkillDirectories,
-  discoverSkillDirsForPaths,
-} from '../../skills/loadSkillsDir.js'
-import type { ToolUseContext } from '../../Tool.js'
 import { buildTool, type ToolDef } from '../../Tool.js'
-import { getCwd } from '../../utils/cwd.js'
-import { logForDebugging } from '../../utils/debug.js'
-import { countLinesChanged, getPatchForDisplay } from '../../utils/diff.js'
-import { isEnvTruthy } from '../../utils/envUtils.js'
-import { isENOENT } from '../../utils/errors.js'
-import { getFileModificationTime, writeTextContent } from '../../utils/file.js'
-import {
-  fileHistoryEnabled,
-  fileHistoryTrackEdit,
-} from '../../utils/fileHistory.js'
-import { logFileOperation } from '../../utils/fileOperationAnalytics.js'
-import { readFileSyncWithMetadata } from '../../utils/fileRead.js'
-import { getFsImplementation } from '../../utils/fsOperations.js'
-import {
-  fetchSingleFileGitDiff,
-  type ToolUseDiff,
-} from '../../utils/gitDiff.js'
 import { lazySchema } from '../../utils/lazySchema.js'
-import { logError } from '../../utils/log.js'
 import { expandPath } from '../../utils/path.js'
-import {
-  checkWritePermissionForTool,
-  matchingRuleForInput,
-} from '../../utils/permissions/filesystem.js'
+import { checkWritePermissionForTool } from '../../utils/permissions/filesystem.js'
 import type { PermissionDecision } from '../../utils/permissions/PermissionResult.js'
 import { matchWildcardPattern } from '../../utils/permissions/shellRuleMatching.js'
-import { FILE_UNEXPECTEDLY_MODIFIED_ERROR } from '../FileEditTool/constants.js'
 import { gitDiffSchema, hunkSchema } from '../FileEditTool/types.js'
+import { callFileWriteTool } from './call.js'
 import { FILE_WRITE_TOOL_NAME, getWriteToolDescription } from './prompt.js'
 import {
   getToolUseSummary,
@@ -52,6 +17,7 @@ import {
   renderToolUseRejectedMessage,
   userFacingName,
 } from './UI.js'
+import { validateFileWriteInput } from './validateInput.js'
 
 const inputSchema = lazySchema(() =>
   z.strictObject({
@@ -150,270 +116,11 @@ export const FileWriteTool = buildTool({
     // shown — phantom. Under-count: tool_use already indexes file_path.
     return ''
   },
-  async validateInput({ file_path, content }, toolUseContext: ToolUseContext) {
-    const fullFilePath = expandPath(file_path)
-
-    // Reject writes to team memory files that contain secrets
-    const secretError = checkTeamMemSecrets(fullFilePath, content)
-    if (secretError) {
-      return { result: false, message: secretError, errorCode: 0 }
-    }
-
-    // Check if path should be ignored based on permission settings
-    const appState = toolUseContext.getAppState()
-    const denyRule = matchingRuleForInput(
-      fullFilePath,
-      appState.toolPermissionContext,
-      'edit',
-      'deny',
-    )
-    if (denyRule !== null) {
-      return {
-        result: false,
-        message:
-          'File is in a directory that is denied by your permission settings.',
-        errorCode: 1,
-      }
-    }
-
-    // SECURITY: Skip filesystem operations for UNC paths to prevent NTLM credential leaks.
-    // On Windows, fs.existsSync() on UNC paths triggers SMB authentication which could
-    // leak credentials to malicious servers. Let the permission check handle UNC paths.
-    if (fullFilePath.startsWith('\\\\') || fullFilePath.startsWith('//')) {
-      return { result: true }
-    }
-
-    const fs = getFsImplementation()
-    let fileMtimeMs: number
-    try {
-      const fileStat = await fs.stat(fullFilePath)
-      fileMtimeMs = fileStat.mtimeMs
-    } catch (e) {
-      if (isENOENT(e)) {
-        return { result: true }
-      }
-      throw e
-    }
-
-    const readTimestamp = toolUseContext.readFileState.get(fullFilePath)
-    if (!readTimestamp || readTimestamp.isPartialView) {
-      return {
-        result: false,
-        message:
-          'File has not been read yet. Read it first before writing to it.',
-        errorCode: 2,
-      }
-    }
-
-    // Reuse mtime from the stat above — avoids a redundant statSync via
-    // getFileModificationTime. The readTimestamp guard above ensures this
-    // block is always reached when the file exists.
-    const lastWriteTime = Math.floor(fileMtimeMs)
-    if (lastWriteTime > readTimestamp.timestamp) {
-      return {
-        result: false,
-        message:
-          'File has been modified since read, either by the user or by a linter. Read it again before attempting to write it.',
-        errorCode: 3,
-      }
-    }
-
-    return { result: true }
+  async validateInput(input, toolUseContext) {
+    return validateFileWriteInput(input, toolUseContext)
   },
-  async call(
-    { file_path, content },
-    { readFileState, updateFileHistoryState, dynamicSkillDirTriggers },
-    _,
-    parentMessage,
-  ) {
-    const fullFilePath = expandPath(file_path)
-    const dir = dirname(fullFilePath)
-
-    // Discover skills from this file's path (fire-and-forget, non-blocking)
-    const cwd = getCwd()
-    const newSkillDirs = await discoverSkillDirsForPaths([fullFilePath], cwd)
-    if (newSkillDirs.length > 0) {
-      // Store discovered dirs for attachment display
-      for (const dir of newSkillDirs) {
-        dynamicSkillDirTriggers?.add(dir)
-      }
-      // Don't await - let skill loading happen in the background
-      addSkillDirectories(newSkillDirs).catch(() => {})
-    }
-
-    // Activate conditional skills whose path patterns match this file
-    activateConditionalSkillsForPaths([fullFilePath], cwd)
-
-    await diagnosticTracker.beforeFileEdited(fullFilePath)
-
-    // Ensure parent directory exists before the atomic read-modify-write section.
-    // Must stay OUTSIDE the critical section below (a yield between the staleness
-    // check and writeTextContent lets concurrent edits interleave), and BEFORE the
-    // write (lazy-mkdir-on-ENOENT would fire a spurious tengu_atomic_write_error
-    // inside writeFileSyncAndFlush_DEPRECATED before ENOENT propagates back).
-    await getFsImplementation().mkdir(dir)
-    if (fileHistoryEnabled()) {
-      // Backup captures pre-edit content — safe to call before the staleness
-      // check (idempotent v1 backup keyed on content hash; if staleness fails
-      // later we just have an unused backup, not corrupt state).
-      await fileHistoryTrackEdit(
-        updateFileHistoryState,
-        fullFilePath,
-        parentMessage.uuid,
-      )
-    }
-
-    // Load current state and confirm no changes since last read.
-    // Please avoid async operations between here and writing to disk to preserve atomicity.
-    let meta: ReturnType<typeof readFileSyncWithMetadata> | null
-    try {
-      meta = readFileSyncWithMetadata(fullFilePath)
-    } catch (e) {
-      if (isENOENT(e)) {
-        meta = null
-      } else {
-        throw e
-      }
-    }
-
-    if (meta !== null) {
-      const lastWriteTime = getFileModificationTime(fullFilePath)
-      const lastRead = readFileState.get(fullFilePath)
-      if (!lastRead || lastWriteTime > lastRead.timestamp) {
-        // Timestamp indicates modification, but on Windows timestamps can change
-        // without content changes (cloud sync, antivirus, etc.). For full reads,
-        // compare content as a fallback to avoid false positives.
-        const isFullRead =
-          lastRead &&
-          lastRead.offset === undefined &&
-          lastRead.limit === undefined
-        // meta.content is CRLF-normalized — matches readFileState's normalized form.
-        if (!isFullRead || meta.content !== lastRead.content) {
-          throw new Error(FILE_UNEXPECTEDLY_MODIFIED_ERROR)
-        }
-      }
-    }
-
-    const enc = meta?.encoding ?? 'utf8'
-    const oldContent = meta?.content ?? null
-
-    // Write is a full content replacement — the model sent explicit line endings
-    // in `content` and meant them. Do not rewrite them. Previously we preserved
-    // the old file's line endings (or sampled the repo via ripgrep for new
-    // files), which silently corrupted e.g. bash scripts with \r on Linux when
-    // overwriting a CRLF file or when binaries in cwd poisoned the repo sample.
-    writeTextContent(fullFilePath, content, enc, 'LF')
-
-    // Notify LSP servers about file modification (didChange) and save (didSave)
-    const lspManager = getLspServerManager()
-    if (lspManager) {
-      // Clear previously delivered diagnostics so new ones will be shown
-      clearDeliveredDiagnosticsForFile(`file://${fullFilePath}`)
-      // didChange: Content has been modified
-      lspManager.changeFile(fullFilePath, content).catch((err: Error) => {
-        logForDebugging(
-          `LSP: Failed to notify server of file change for ${fullFilePath}: ${err.message}`,
-        )
-        logError(err)
-      })
-      // didSave: File has been saved to disk (triggers diagnostics in TypeScript server)
-      lspManager.saveFile(fullFilePath).catch((err: Error) => {
-        logForDebugging(
-          `LSP: Failed to notify server of file save for ${fullFilePath}: ${err.message}`,
-        )
-        logError(err)
-      })
-    }
-
-    // Notify VSCode about the file change for diff view
-    notifyVscodeFileUpdated(fullFilePath, oldContent, content)
-
-    // Update read timestamp, to invalidate stale writes
-    readFileState.set(fullFilePath, {
-      content,
-      timestamp: getFileModificationTime(fullFilePath),
-      offset: undefined,
-      limit: undefined,
-    })
-
-    // Log when writing to CLAUDE.md
-    if (fullFilePath.endsWith(`${sep}CLAUDE.md`)) {
-      logEvent('tengu_write_claudemd', {})
-    }
-
-    let gitDiff: ToolUseDiff | undefined
-    if (
-      isEnvTruthy(process.env.CLAUDE_CODE_REMOTE) &&
-      getFeatureValue_CACHED_MAY_BE_STALE('tengu_quartz_lantern', false)
-    ) {
-      const startTime = Date.now()
-      const diff = await fetchSingleFileGitDiff(fullFilePath)
-      if (diff) gitDiff = diff
-      logEvent('tengu_tool_use_diff_computed', {
-        isWriteTool: true,
-        durationMs: Date.now() - startTime,
-        hasDiff: !!diff,
-      })
-    }
-
-    if (oldContent) {
-      const patch = getPatchForDisplay({
-        filePath: file_path,
-        fileContents: oldContent,
-        edits: [
-          {
-            old_string: oldContent,
-            new_string: content,
-            replace_all: false,
-          },
-        ],
-      })
-
-      const data = {
-        type: 'update' as const,
-        filePath: file_path,
-        content,
-        structuredPatch: patch,
-        originalFile: oldContent,
-        ...(gitDiff && { gitDiff }),
-      }
-      // Track lines added and removed for file updates, right before yielding result
-      countLinesChanged(patch)
-
-      logFileOperation({
-        operation: 'write',
-        tool: 'FileWriteTool',
-        filePath: fullFilePath,
-        type: 'update',
-      })
-
-      return {
-        data,
-      }
-    }
-
-    const data = {
-      type: 'create' as const,
-      filePath: file_path,
-      content,
-      structuredPatch: [],
-      originalFile: null,
-      ...(gitDiff && { gitDiff }),
-    }
-
-    // For creation of new files, count all lines as additions, right before yielding the result
-    countLinesChanged([], content)
-
-    logFileOperation({
-      operation: 'write',
-      tool: 'FileWriteTool',
-      filePath: fullFilePath,
-      type: 'create',
-    })
-
-    return {
-      data,
-    }
+  async call(input, context, _, parentMessage) {
+    return callFileWriteTool(input, context, parentMessage)
   },
   mapToolResultToToolResultBlockParam({ filePath, type }, toolUseID) {
     switch (type) {

package/tui/src/tools/FileWriteTool/call.ts

@@ -0,0 +1,223 @@
+import { dirname, sep } from 'path'
+import { logEvent } from 'src/services/analytics/index.js'
+import { getFeatureValue_CACHED_MAY_BE_STALE } from '../../services/analytics/growthbook.js'
+import { diagnosticTracker } from '../../services/diagnosticTracking.js'
+import { clearDeliveredDiagnosticsForFile } from '../../services/lsp/LSPDiagnosticRegistry.js'
+import { notifyVscodeFileUpdated } from '../../services/mcp/vscodeSdkMcp.js'
+import {
+  activateConditionalSkillsForPaths,
+  addSkillDirectories,
+  discoverSkillDirsForPaths,
+} from '../../skills/loadSkillsDir.js'
+import type { ToolResult, ToolUseContext } from '../../Tool.js'
+import type { AssistantMessage } from '../../types/message.js'
+import { getCwd } from '../../utils/cwd.js'
+import { logForDebugging } from '../../utils/debug.js'
+import { countLinesChanged, getPatchForDisplay } from '../../utils/diff.js'
+import { isEnvTruthy } from '../../utils/envUtils.js'
+import { isENOENT } from '../../utils/errors.js'
+import { getFileModificationTime, writeTextContent } from '../../utils/file.js'
+import { logFileOperation } from '../../utils/fileOperationAnalytics.js'
+import { readFileSyncWithMetadata } from '../../utils/fileRead.js'
+import { getFsImplementation } from '../../utils/fsOperations.js'
+import {
+  fetchSingleFileGitDiff,
+  type ToolUseDiff,
+} from '../../utils/gitDiff.js'
+import { logError } from '../../utils/log.js'
+import { expandPath } from '../../utils/path.js'
+import { documentDerivativeMutationValidationForResolvedTarget } from '../DocumentPrimitive/documentMutationGuard.js'
+import { FILE_UNEXPECTEDLY_MODIFIED_ERROR } from '../FileEditTool/constants.js'
+import type { FileWriteInput } from './validateInput.js'
+
+type FileWritePatch = ReturnType<typeof getPatchForDisplay>
+
+type FileWriteUpdateData = {
+  type: 'update'
+  filePath: string
+  content: string
+  structuredPatch: FileWritePatch
+  originalFile: string
+  gitDiff?: ToolUseDiff
+}
+
+type FileWriteCreateData = {
+  type: 'create'
+  filePath: string
+  content: string
+  structuredPatch: FileWritePatch
+  originalFile: null
+  gitDiff?: ToolUseDiff
+}
+
+type FileWriteData = FileWriteUpdateData | FileWriteCreateData
+
+export async function callFileWriteTool(
+  { file_path, content }: FileWriteInput,
+  {
+    readFileState,
+    updateFileHistoryState,
+    dynamicSkillDirTriggers,
+  }: ToolUseContext,
+  parentMessage: AssistantMessage,
+): Promise<ToolResult<FileWriteData>> {
+  const fullFilePath = expandPath(file_path)
+  const documentValidation =
+    documentDerivativeMutationValidationForResolvedTarget(fullFilePath)
+  if (documentValidation !== null) throw new Error(documentValidation.message)
+
+  const dir = dirname(fullFilePath)
+
+  const cwd = getCwd()
+  const newSkillDirs = await discoverSkillDirsForPaths([fullFilePath], cwd)
+  if (newSkillDirs.length > 0) {
+    for (const dir of newSkillDirs) {
+      dynamicSkillDirTriggers?.add(dir)
+    }
+    addSkillDirectories(newSkillDirs).catch(() => {})
+  }
+
+  activateConditionalSkillsForPaths([fullFilePath], cwd)
+
+  await diagnosticTracker.beforeFileEdited(fullFilePath)
+
+  await getFsImplementation().mkdir(dir)
+  const { fileHistoryEnabled, fileHistoryTrackEdit } = await import(
+    '../../utils/fileHistory.js'
+  )
+  if (fileHistoryEnabled()) {
+    await fileHistoryTrackEdit(
+      updateFileHistoryState,
+      fullFilePath,
+      parentMessage.uuid,
+    )
+  }
+
+  let meta: ReturnType<typeof readFileSyncWithMetadata> | null
+  try {
+    meta = readFileSyncWithMetadata(fullFilePath)
+  } catch (e) {
+    if (isENOENT(e)) {
+      meta = null
+    } else {
+      throw e
+    }
+  }
+
+  if (meta !== null) {
+    const lastWriteTime = getFileModificationTime(fullFilePath)
+    const lastRead = readFileState.get(fullFilePath)
+    if (!lastRead || lastWriteTime > lastRead.timestamp) {
+      const isFullRead =
+        lastRead &&
+        lastRead.offset === undefined &&
+        lastRead.limit === undefined
+      if (!isFullRead || meta.content !== lastRead.content) {
+        throw new Error(FILE_UNEXPECTEDLY_MODIFIED_ERROR)
+      }
+    }
+  }
+
+  const enc = meta?.encoding ?? 'utf8'
+  const oldContent = meta?.content ?? null
+  writeTextContent(fullFilePath, content, enc, 'LF')
+
+  const { getLspServerManager } = await import('../../services/lsp/manager.js')
+  const lspManager = getLspServerManager()
+  if (lspManager) {
+    clearDeliveredDiagnosticsForFile(`file://${fullFilePath}`)
+    lspManager.changeFile(fullFilePath, content).catch((err: Error) => {
+      logForDebugging(
+        `LSP: Failed to notify server of file change for ${fullFilePath}: ${err.message}`,
+      )
+      logError(err)
+    })
+    lspManager.saveFile(fullFilePath).catch((err: Error) => {
+      logForDebugging(
+        `LSP: Failed to notify server of file save for ${fullFilePath}: ${err.message}`,
+      )
+      logError(err)
+    })
+  }
+
+  notifyVscodeFileUpdated(fullFilePath, oldContent, content)
+
+  readFileState.set(fullFilePath, {
+    content,
+    timestamp: getFileModificationTime(fullFilePath),
+    offset: undefined,
+    limit: undefined,
+  })
+
+  if (fullFilePath.endsWith(`${sep}CLAUDE.md`)) {
+    logEvent('tengu_write_claudemd', {})
+  }
+
+  let gitDiff: ToolUseDiff | undefined
+  if (
+    isEnvTruthy(process.env.CLAUDE_CODE_REMOTE) &&
+    getFeatureValue_CACHED_MAY_BE_STALE('tengu_quartz_lantern', false)
+  ) {
+    const startTime = Date.now()
+    const diff = await fetchSingleFileGitDiff(fullFilePath)
+    if (diff) gitDiff = diff
+    logEvent('tengu_tool_use_diff_computed', {
+      isWriteTool: true,
+      durationMs: Date.now() - startTime,
+      hasDiff: !!diff,
+    })
+  }
+
+  if (oldContent) {
+    const patch = getPatchForDisplay({
+      filePath: file_path,
+      fileContents: oldContent,
+      edits: [
+        {
+          old_string: oldContent,
+          new_string: content,
+          replace_all: false,
+        },
+      ],
+    })
+
+    const data: FileWriteUpdateData = {
+      type: 'update',
+      filePath: file_path,
+      content,
+      structuredPatch: patch,
+      originalFile: oldContent,
+      ...(gitDiff && { gitDiff }),
+    }
+    countLinesChanged(patch)
+
+    logFileOperation({
+      operation: 'write',
+      tool: 'FileWriteTool',
+      filePath: fullFilePath,
+      type: 'update',
+    })
+
+    return { data }
+  }
+
+  const data: FileWriteCreateData = {
+    type: 'create',
+    filePath: file_path,
+    content,
+    structuredPatch: [],
+    originalFile: null,
+    ...(gitDiff && { gitDiff }),
+  }
+
+  countLinesChanged([], content)
+
+  logFileOperation({
+    operation: 'write',
+    tool: 'FileWriteTool',
+    filePath: fullFilePath,
+    type: 'create',
+  })
+
+  return { data }
+}

package/tui/src/tools/FileWriteTool/validateInput.ts

@@ -0,0 +1,80 @@
+import type { ToolUseContext, ValidationResult } from '../../Tool.js'
+import { checkTeamMemSecrets } from '../../services/teamMemorySync/teamMemSecretGuard.js'
+import { isENOENT } from '../../utils/errors.js'
+import { getFsImplementation } from '../../utils/fsOperations.js'
+import { expandPath } from '../../utils/path.js'
+import { matchingRuleForInput } from '../../utils/permissions/filesystem.js'
+import { documentDerivativeMutationValidationForResolvedTarget } from '../DocumentPrimitive/documentMutationGuard.js'
+
+export type FileWriteInput = {
+  file_path: string
+  content: string
+}
+
+export async function validateFileWriteInput(
+  { file_path, content }: FileWriteInput,
+  toolUseContext: ToolUseContext,
+): Promise<ValidationResult> {
+  const fullFilePath = expandPath(file_path)
+  const documentValidation =
+    documentDerivativeMutationValidationForResolvedTarget(fullFilePath)
+  if (documentValidation !== null) return documentValidation
+
+  const secretError = checkTeamMemSecrets(fullFilePath, content)
+  if (secretError) {
+    return { result: false, message: secretError, errorCode: 0 }
+  }
+
+  const appState = toolUseContext.getAppState()
+  const denyRule = matchingRuleForInput(
+    fullFilePath,
+    appState.toolPermissionContext,
+    'edit',
+    'deny',
+  )
+  if (denyRule !== null) {
+    return {
+      result: false,
+      message:
+        'File is in a directory that is denied by your permission settings.',
+      errorCode: 1,
+    }
+  }
+
+  if (fullFilePath.startsWith('\\\\') || fullFilePath.startsWith('//')) {
+    return { result: true }
+  }
+
+  const fs = getFsImplementation()
+  let fileMtimeMs: number
+  try {
+    const fileStat = await fs.stat(fullFilePath)
+    fileMtimeMs = fileStat.mtimeMs
+  } catch (e) {
+    if (isENOENT(e)) {
+      return { result: true }
+    }
+    throw e
+  }
+
+  const readTimestamp = toolUseContext.readFileState.get(fullFilePath)
+  if (!readTimestamp || readTimestamp.isPartialView) {
+    return {
+      result: false,
+      message: 'File has not been read yet. Read it first before writing to it.',
+      errorCode: 2,
+    }
+  }
+
+  const lastWriteTime = Math.floor(fileMtimeMs)
+  if (lastWriteTime > readTimestamp.timestamp) {
+    return {
+      result: false,
+      message:
+        'File has been modified since read, either by the user or by a linter. Read it again before attempting to write it.',
+      errorCode: 3,
+    }
+  }
+
+  return { result: true }
+}

package/tui/src/tools/ListMcpResourcesTool/ListMcpResourcesTool.ts

@@ -9,6 +9,10 @@ import { lazySchema } from '../../utils/lazySchema.js'
 import { logMCPError } from '../../utils/log.js'
 import { jsonStringify } from '../../utils/slowOperations.js'
 import { isOutputLineTruncated } from '../../utils/terminal.js'
+import {
+  assertTrustedMcpServerForResourceAccess,
+  isTrustedMcpServer,
+} from '../MCPTool/trustPolicy.js'
 import { DESCRIPTION, LIST_MCP_RESOURCES_TOOL_NAME, PROMPT } from './prompt.js'
 import { renderToolResultMessage, renderToolUseMessage } from './UI.js'
 
@@ -16,6 +20,8 @@ const inputSchema = lazySchema(() =>
   z.object({
     server: z
       .string()
+      .trim()
+      .min(1, 'Server name cannot be empty')
       .optional()
       .describe('Optional server name to filter resources by'),
   }),
@@ -49,7 +55,7 @@ export const ListMcpResourcesTool = buildTool({
   },
   shouldDefer: true,
   name: LIST_MCP_RESOURCES_TOOL_NAME,
-  searchHint: 'list resources from connected MCP servers',
+  searchHint: 'list resources from connected MCP servers with trust boundary checks',
   maxResultSizeChars: 100_000,
   async description() {
     return DESCRIPTION
@@ -63,12 +69,19 @@ export const ListMcpResourcesTool = buildTool({
   get outputSchema(): OutputSchema {
     return outputSchema()
   },
-  async call(input, { options: { mcpClients } }) {
+  async call(input, { options: { mcpClients }, getAppState }) {
     const { server: targetServer } = input
+    const permissionContext = getAppState().toolPermissionContext
+
+    if (targetServer !== undefined) {
+      assertTrustedMcpServerForResourceAccess(permissionContext, targetServer)
+    }
 
     const clientsToProcess = targetServer
       ? mcpClients.filter(client => client.name === targetServer)
-      : mcpClients
+      : mcpClients.filter(client =>
+          isTrustedMcpServer(permissionContext, client.name),
+        )
 
     if (targetServer && clientsToProcess.length === 0) {
       throw new Error(
@@ -88,6 +101,9 @@ export const ListMcpResourcesTool = buildTool({
           const fresh = await ensureConnectedClient(client)
           return await fetchResourcesForClient(fresh)
         } catch (error) {
+          if (!(error instanceof Error)) {
+            throw error
+          }
           // One server's reconnect failure shouldn't sink the whole result.
           logMCPError(client.name, errorMessage(error))
           return []