The 3-State Model
Every tool exposed by an MCP server has exactly one of three states. This model is the foundation of everything MCPFirewall does.
Enabled
Section titled “Enabled”The tool works normally. Calls pass through the gateway to the upstream server without interruption. Every call is logged in the Activity Log.
Use this for tools you trust in the current context.
Requires Approval
Section titled “Requires Approval”The tool call is intercepted and held. A notification appears in the dashboard (and as an OS notification on your desktop). You review the tool name, arguments, and server, then choose:
- Approve to let the call proceed
- Deny to block it (the AI receives an error)
- Always Allow to approve this call and switch the tool to Enabled for the rest of the session
While waiting, the AI client’s request stays open. The gateway parks the goroutine with near-zero CPU overhead, so holding hundreds of requests costs nothing.
If you do not respond within the configured timeout, the call is automatically denied.
See Approve Requests for the full approval workflow.
Disabled
Section titled “Disabled”The tool is invisible. When the AI client asks for the list of available tools, disabled tools are filtered out of the response. The AI never sees them, so it never tries to call them.
This is different from denying a call. A denied tool still appears in the tool list, and the AI may keep trying to use it. A disabled tool does not exist from the AI’s perspective.
Where tool modes are set
Section titled “Where tool modes are set”Tool modes are configured in rulesets. A ruleset defines the mode for each tool across all your servers. You can set modes at two levels:
- Server-level: applies to every tool on that server as a baseline
- Tool-level override: applies to a specific tool and takes precedence
For example, you could set a server to “Requires Approval” for all tools, then override read-only tools to “Enabled” so lookups pass through without interruption.
See Rulesets for how to create and configure them.
Quick comparison
Section titled “Quick comparison”| Enabled | Requires Approval | Disabled | |
|---|---|---|---|
| Tool visible to AI | Yes | Yes | No |
| Call goes to server | Immediately | After you approve | Never |
| Logged in activity | Yes | Yes | No (nothing to log) |
| AI can retry | N/A | Gets error if denied | Cannot attempt |