refactor(tools): integrate mcp_call with confirmation flow and improve lazy loading

- Add `match_against_confirm_deny` to `ToolMcpCall` to proxy confirmation checks
  to underlying MCP tools before execution, enabling normal pause/deny flow
- Disable parallel execution for `mcp_call` and add input validation for `args`
- Filter disabled MCP tools from `mcp_search` results
- Enhance MCP lazy loading with `is_integration_mcp_tool` helper to exclude
  proxy builtins (`mcp_call`, `mcp_search`) from filtering logic, making it
  idempotent and cache-safe
- Apply lazy filter consistently in chat tool handling

Author: JegernOUTT

refact-agent/engine/src/chat/tools.rs

@@ -64,7 +64,8 @@ async fn resolve_tool_call_aliases(
     mode_id: &str,
     model_id: Option<&str>,
 ) -> Vec<ChatToolCall> {
-    let available_tools = crate::tools::tools_list::get_tools_for_mode(gcx, mode_id, model_id).await;
+    let raw_tools = crate::tools::tools_list::get_tools_for_mode(gcx, mode_id, model_id).await;
+    let available_tools = crate::tools::tools_list::apply_mcp_lazy_filter(raw_tools).tools;
     let tool_names: Vec<String> = available_tools.iter().map(|t| t.tool_description().name.clone()).collect();
     let registry = build_registry_from_names(&tool_names);
     if !registry.needs_aliasing() {
@@ -863,10 +864,11 @@ pub async fn check_tools_confirmation(
         .collect();
 
     let all_tools =
-        crate::tools::tools_list::get_tools_for_mode(gcx.clone(), mode_id, model_id)
-            .await
-            .into_iter()
-            .filter_map(|tool| {
+        crate::tools::tools_list::apply_mcp_lazy_filter(
+            crate::tools::tools_list::get_tools_for_mode(gcx.clone(), mode_id, model_id).await
+        ).tools
+        .into_iter()
+        .filter_map(|tool| {
                 let spec = tool.tool_description();
                 if needed_names.contains(spec.name.as_str()) {
                     Some((spec.name, tool))

refact-agent/engine/src/tools/tool_mcp_call.rs

@@ -7,7 +7,7 @@ use tokio::sync::Mutex as AMutex;
 
 use crate::at_commands::at_commands::AtCommandsContext;
 use crate::call_validation::ContextEnum;
-use crate::tools::tools_description::{MatchConfirmDenyResult, Tool, ToolConfig, ToolDesc, ToolGroupCategory, ToolSource, ToolSourceType};
+use crate::tools::tools_description::{MatchConfirmDeny, MatchConfirmDenyResult, Tool, ToolConfig, ToolDesc, ToolGroupCategory, ToolSource, ToolSourceType};
 use crate::tools::tools_list::get_integration_tools;
 
 pub struct ToolMcpCall {}
@@ -18,7 +18,7 @@ impl Tool for ToolMcpCall {
         ToolDesc {
             name: "mcp_call".to_string(),
             experimental: false,
-            allow_parallel: true,
+            allow_parallel: false,
             description: "Execute any MCP tool by name with the given arguments. \
                 Use `mcp_tool_search` first to discover the tool name and its input schema, \
                 then call this with the exact arguments the schema requires."
@@ -51,6 +51,53 @@ impl Tool for ToolMcpCall {
         Ok(ToolConfig { enabled: true, allow_parallel: None })
     }
 
+    /// Proxy confirmation/deny checks to the underlying MCP tool so that
+    /// `check_tools_confirmation()` can trigger the normal pause/deny flow
+    /// before `tool_execute` is ever called.
+    async fn match_against_confirm_deny(
+        &self,
+        ccx: Arc<AMutex<AtCommandsContext>>,
+        args: &HashMap<String, Value>,
+    ) -> Result<crate::tools::tools_description::MatchConfirmDeny, String> {
+        let tool_name = match args.get("tool_name").and_then(|v| v.as_str()) {
+            Some(n) => n.to_string(),
+            None => return Ok(MatchConfirmDeny {
+                result: MatchConfirmDenyResult::PASS,
+                command: String::new(),
+                rule: String::new(),
+            }),
+        };
+
+        let tool_args: HashMap<String, Value> = args.get("args")
+            .and_then(|v| v.as_object())
+            .map(|obj| obj.iter().map(|(k, v)| (k.clone(), v.clone())).collect())
+            .unwrap_or_default();
+
+        let gcx = ccx.lock().await.global_context.clone();
+        let mut integration_groups = get_integration_tools(gcx).await;
+
+        // Move the tool out of the groups so it can be awaited safely.
+        let mut found_tool: Option<Box<dyn Tool + Send>> = None;
+        'outer: for group in &mut integration_groups {
+            if !matches!(group.category, ToolGroupCategory::MCP) {
+                continue;
+            }
+            if let Some(pos) = group.tools.iter().position(|t| t.tool_description().name == tool_name) {
+                found_tool = Some(group.tools.remove(pos));
+                break 'outer;
+            }
+        }
+
+        match found_tool {
+            Some(tool) => tool.match_against_confirm_deny(ccx, &tool_args).await,
+            None => Ok(MatchConfirmDeny {
+                result: MatchConfirmDenyResult::PASS,
+                command: String::new(),
+                rule: String::new(),
+            }),
+        }
+    }
+
     async fn tool_execute(
         &mut self,
         ccx: Arc<AMutex<AtCommandsContext>>,
@@ -62,10 +109,13 @@ impl Tool for ToolMcpCall {
             .ok_or_else(|| "mcp_call: missing required argument 'tool_name'".to_string())?
             .to_string();
 
-        let tool_args: HashMap<String, Value> = args.get("args")
-            .and_then(|v| v.as_object())
-            .map(|obj| obj.iter().map(|(k, v)| (k.clone(), v.clone())).collect())
-            .unwrap_or_default();
+        let tool_args: HashMap<String, Value> = match args.get("args") {
+            None => return Err("mcp_call: missing required argument 'args'".to_string()),
+            Some(v) => match v.as_object() {
+                None => return Err("mcp_call: argument 'args' must be an object".to_string()),
+                Some(obj) => obj.iter().map(|(k, v)| (k.clone(), v.clone())).collect(),
+            },
+        };
 
         let gcx = ccx.lock().await.global_context.clone();
         let mut integration_groups = get_integration_tools(gcx).await;
@@ -89,19 +139,8 @@ impl Tool for ToolMcpCall {
             )
         })?;
 
-        let confirm_result = tool.match_against_confirm_deny(ccx.clone(), &tool_args).await
-            .map_err(|e| format!("mcp_call confirmation check failed: {}", e))?;
-        if confirm_result.result == MatchConfirmDenyResult::DENY {
-            return Err(format!(
-                "MCP tool '{}' was denied by rule '{}'",
-                tool_name, confirm_result.rule
-            ));
-        }
-        if confirm_result.result == MatchConfirmDenyResult::CONFIRMATION {
-            return Err(format!(
-                "MCP tool '{}' requires user confirmation (rule '{}'). Use the tool directly instead of via mcp_call to enable the confirmation flow.",
-                tool_name, confirm_result.rule
-            ));
+        if !tool.config().unwrap_or_default().enabled {
+            return Err(format!("MCP tool '{}' is disabled.", tool_name));
         }
 
         tool.tool_execute(ccx, tool_call_id, &tool_args).await

refact-agent/engine/src/tools/tool_mcp_search.rs

@@ -75,6 +75,7 @@ impl Tool for ToolMcpSearch {
         let matched: Vec<(String, String, Value)> = integration_groups.iter()
             .filter(|g| matches!(g.category, ToolGroupCategory::MCP))
             .flat_map(|g| g.tools.iter())
+            .filter(|tool| tool.config().unwrap_or_default().enabled)
             .filter(|tool| {
                 let d = tool.tool_description();
                 re.is_match(&d.name) || re.is_match(&d.description)

refact-agent/engine/src/tools/tools_list.rs

@@ -8,7 +8,7 @@ use crate::integrations::running_integrations::load_integrations;
 use crate::yaml_configs::customization_registry::get_project_registry;
 use crate::caps::resolve_chat_model;
 
-use super::tools_description::{Tool, ToolGroup, ToolGroupCategory};
+use super::tools_description::{Tool, ToolGroup, ToolGroupCategory, ToolSourceType};
 use super::tool_config_subagent::ToolConfigSubagent;
 
 /// When MCP tool count exceeds this threshold, lazy loading activates.
@@ -32,15 +32,27 @@ pub struct ToolsForMode {
     pub mcp_tool_index: Vec<(String, String)>,
 }
 
+/// Returns true for real MCP integration tools, false for the proxy builtins
+/// (`mcp_call`, `mcp_tool_search`) which share the "mcp" name prefix but have
+/// `ToolSourceType::Builtin`. This makes `apply_mcp_lazy_filter` idempotent.
+fn is_integration_mcp_tool(t: &Box<dyn Tool + Send>) -> bool {
+    let d = t.tool_description();
+    d.name.starts_with("mcp") && matches!(d.source.source_type, ToolSourceType::Integration)
+}
+
 /// Apply MCP lazy-loading to a flat tool list returned by `get_tools_for_mode`.
 ///
 /// When there are more than `MCP_LAZY_THRESHOLD` MCP tools, ALL individual MCP
 /// schemas are replaced by two fixed proxy tools (`mcp_tool_search` + `mcp_call`).
 /// The tool list produced here NEVER changes during the session — cache-safe.
+///
+/// Safe to call multiple times: proxy tools have `ToolSourceType::Builtin` so they
+/// are never counted or removed by subsequent calls.
 pub fn apply_mcp_lazy_filter(mut tools: Vec<Box<dyn Tool + Send>>) -> ToolsForMode {
-    // Collect the index of ALL MCP tools (by name prefix convention) before filtering.
+    // Collect the index of ALL real MCP integration tools before filtering.
+    // Proxy builtins (mcp_call / mcp_tool_search) are excluded via source_type check.
     let mcp_tool_index: Vec<(String, String)> = tools.iter()
-        .filter(|t| t.tool_description().name.starts_with("mcp"))
+        .filter(|t| is_integration_mcp_tool(t))
         .map(|t| {
             let d = t.tool_description();
             (d.name, d.description)
@@ -51,8 +63,8 @@ pub fn apply_mcp_lazy_filter(mut tools: Vec<Box<dyn Tool + Send>>) -> ToolsForMo
     let mcp_lazy_mode = mcp_total_count > MCP_LAZY_THRESHOLD;
 
     if mcp_lazy_mode {
-        // Drop ALL individual MCP tool schemas.
-        tools.retain(|t| !t.tool_description().name.starts_with("mcp"));
+        // Drop ALL individual MCP tool schemas (integration tools only).
+        tools.retain(|t| !is_integration_mcp_tool(t));
         // Inject two fixed proxies — tool list is now stable for the session.
         tools.push(Box::new(crate::tools::tool_mcp_search::ToolMcpSearch {}));
         tools.push(Box::new(crate::tools::tool_mcp_call::ToolMcpCall {}));