fix: include mcp_tool_permissions server ids in allowed mcp servers

[umut-polat]

when a key/team/end-user has mcp_tool_permissions for a server but that server isn't in mcp_servers, the server was excluded from the allowed list — making the tool permissions useless.

now we union the keys from mcp_tool_permissions into the allowed server set in all three functions: _get_allowed_mcp_servers_for_key, _get_allowed_mcp_servers_for_team, _get_allowed_mcp_servers_for_end_user.

test verifies that a server appearing only in tool_permissions is returned in the allowed list.

fixes #21954

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
litellm	Ready	Preview, Comment	Feb 27, 2026 10:33pm

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[greptile-apps]

Greptile Summary

This PR fixes a bug where servers listed only in mcp_tool_permissions (and not in mcp_servers) were excluded from the allowed MCP server set, making the tool permissions for those servers ineffective. The fix unions the keys from mcp_tool_permissions into the allowed server list in all three permission-resolution functions: _get_allowed_mcp_servers_for_key, _get_allowed_mcp_servers_for_team, and _get_allowed_mcp_servers_for_end_user.

• Bug fix: Servers referenced in mcp_tool_permissions are now included in the allowed server set alongside mcp_servers and access-group-resolved servers
• Consistent application: The same fix pattern is applied to key, team, and end-user permission functions
• Regression test: A new test verifies that a server appearing only in mcp_tool_permissions is returned in the allowed list (for the key path)
• No new DB queries: The fix uses already-loaded permission objects — no additional database calls in the critical path

Confidence Score: 4/5

• This PR is safe to merge — it's a small, well-scoped bug fix with a regression test and no new DB queries.
• The change is minimal, consistent across all three functions, properly guarded against None values, and includes a regression test. The only minor gap is that the test only exercises the key function, not team or end_user. The intersection logic in the parent get_allowed_mcp_servers still correctly constrains the final result, so adding servers to individual lists doesn't bypass security — it just ensures tool permissions are respected at each level.
• No files require special attention — changes are straightforward and well-guarded.

Important Files Changed

Filename	Overview
litellm/proxy/_experimental/mcp_server/auth/user_api_key_auth_mcp.py	Adds mcp_tool_permissions keys to the allowed server set in all three _get_allowed_mcp_servers_for_* functions. Changes are consistent, guarded against None, and deduplicated via set().
tests/test_litellm/proxy/_experimental/mcp_server/auth/test_user_api_key_auth_mcp.py	Adds a regression test verifying servers in mcp_tool_permissions (but not in mcp_servers) are returned in the allowed list. Uses mocks only — no real network calls. Only tests the key function; team and end_user functions are not explicitly tested for this new behavior.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[get_allowed_mcp_servers] --> B[_get_allowed_mcp_servers_for_key]
    A --> C[_get_allowed_mcp_servers_for_team]
    A --> D[_get_allowed_mcp_servers_for_end_user]

    B --> B1[direct mcp_servers]
    B --> B2[access_group servers]
    B --> B3[mcp_tool_permissions keys ✨ NEW]
    B1 & B2 & B3 --> B4["union + deduplicate (set)"]

    C --> C1[direct mcp_servers]
    C --> C2[access_group servers]
    C --> C3[mcp_tool_permissions keys ✨ NEW]
    C1 & C2 & C3 --> C4["union + deduplicate (set)"]

    D --> D1[direct mcp_servers]
    D --> D2[access_group servers]
    D --> D3[mcp_tool_permissions keys ✨ NEW]
    D1 & D2 & D3 --> D4["union + deduplicate (set)"]

    B4 --> E{Both key & team\nhave servers?}
    C4 --> E
    E -->|Yes| F[Intersection of key ∩ team]
    E -->|No| G[Inherit from whichever has servers]
    F --> H{end_user has servers?}
    G --> H
    H -->|Yes| I[Intersection with end_user]
    H -->|No| J[Final allowed servers]
    I --> J

Loading

_{Last reviewed commit: 0502200}

[greptile-apps]

_{2 files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}