coder
diff --git a/‎cli/server.go
Lines changed: 6 additions & 0 deletions b/‎cli/server.go
Lines changed: 6 additions & 0 deletions
diff --git a/‎coderd/apidoc/docs.go
Lines changed: 9 additions & 0 deletions b/‎coderd/apidoc/docs.go
Lines changed: 9 additions & 0 deletions
diff --git a/‎coderd/apidoc/swagger.json
Lines changed: 9 additions & 0 deletions b/‎coderd/apidoc/swagger.json
Lines changed: 9 additions & 0 deletions
diff --git a/‎coderd/externalauth/externalauth.go
Lines changed: 29 additions & 0 deletions b/‎coderd/externalauth/externalauth.go
Lines changed: 29 additions & 0 deletions
diff --git a/‎codersdk/deployment.go
Lines changed: 3 additions & 0 deletions b/‎codersdk/deployment.go
Lines changed: 3 additions & 0 deletions
diff --git a/‎docs/reference/api/general.md
Lines changed: 3 additions & 0 deletions b/‎docs/reference/api/general.md
Lines changed: 3 additions & 0 deletions
diff --git a/‎docs/reference/api/schemas.md
Lines changed: 15 additions & 0 deletions b/‎docs/reference/api/schemas.md
Lines changed: 15 additions & 0 deletions
diff --git a/‎site/src/api/typesGenerated.ts
Lines changed: 3 additions & 0 deletions b/‎site/src/api/typesGenerated.ts
Lines changed: 3 additions & 0 deletions
diff --git a/‎site/src/pages/DeploymentSettingsPage/ExternalAuthSettingsPage/ExternalAuthSettingsPageView.stories.tsx
Lines changed: 3 additions & 0 deletions b/‎site/src/pages/DeploymentSettingsPage/ExternalAuthSettingsPage/ExternalAuthSettingsPageView.stories.tsx
Lines changed: 3 additions & 0 deletions
@@ -2717,6 +2717,12 @@ func parseExternalAuthProvidersFromEnv(prefix string, environ []string) ([]coder
 			provider.DisplayName = v.Value
 		case "DISPLAY_ICON":
 			provider.DisplayIcon = v.Value
+		case "MCP_URL":
+			provider.MCPURL = v.Value
+		case "MCP_TOOL_ALLOWLIST":
+			provider.MCPToolAllowlist = v.Value
+		case "MCP_TOOL_DENYLIST":
+			provider.MCPToolDenylist = v.Value
 		}
 		providers[providerNum] = provider
 	}
 
@@ -81,6 +81,17 @@ type Config struct {
 	// AppInstallationsURL is an API endpoint that returns a list of
 	// installations for the user. This is used for GitHub Apps.
 	AppInstallationsURL string
+	// MCPURL is the endpoint that clients must use to communicate with the associated
+	// MCP server.
+	MCPURL string
+	// MCPToolAllowlistPattern is a [regexp.Regexp] to match tools which are explicitly allowed to be
+	// injected into Coder AI Bridge upstream requests.
+	// In the case of conflicts, [MCPToolDenylistPattern] overrides items evaluated by this list.
+	MCPToolAllowlistPattern *regexp.Regexp
+	// MCPToolAllowlistPattern is a [regexp.Regexp] to match tools which are explicitly NOT allowed to be
+	// injected into Coder AI Bridge upstream requests.
+	// In the case of conflicts, items evaluated by this list override [MCPToolAllowlistPattern].
+	MCPToolDenylistPattern *regexp.Regexp
 }
 
 // GenerateTokenExtra generates the extra token data to store in the database.
@@ -608,6 +619,21 @@ func ConvertConfig(instrument *promoauth.Factory, entries []codersdk.ExternalAut
 			instrumented = instrument.NewGithub(entry.ID, oauthConfig)
 		}
 
+		var mcpToolAllow *regexp.Regexp
+		var mcpToolDeny *regexp.Regexp
+		if entry.MCPToolAllowlist != "" {
+			mcpToolAllow, err = regexp.Compile(entry.MCPToolAllowlist)
+			if err != nil {
+				return nil, xerrors.Errorf("compile MCP tool allowlist for external auth provider %q: %w", entry.ID, entry.MCPToolAllowlist)
+			}
+		}
+		if entry.MCPToolDenylist != "" {
+			mcpToolDeny, err = regexp.Compile(entry.MCPToolDenylist)
+			if err != nil {
+				return nil, xerrors.Errorf("compile MCP tool denylist for external auth provider %q: %w", entry.ID, entry.MCPToolDenylist)
+			}
+		}
+
 		cfg := &Config{
 			InstrumentedOAuth2Config: instrumented,
 			ID:                       entry.ID,
@@ -620,6 +646,9 @@ func ConvertConfig(instrument *promoauth.Factory, entries []codersdk.ExternalAut
 			DisplayName:              entry.DisplayName,
 			DisplayIcon:              entry.DisplayIcon,
 			ExtraTokenKeys:           entry.ExtraTokenKeys,
+			MCPURL:                   entry.MCPURL,
+			MCPToolAllowlistPattern:  mcpToolAllow,
+			MCPToolDenylistPattern:   mcpToolDeny,
 		}
 
 		if entry.DeviceFlow {
 
@@ -737,6 +737,9 @@ type ExternalAuthConfig struct {
 	ExtraTokenKeys      []string `json:"-" yaml:"extra_token_keys"`
 	DeviceFlow          bool     `json:"device_flow" yaml:"device_flow"`
 	DeviceCodeURL       string   `json:"device_code_url" yaml:"device_code_url"`
+	MCPURL              string   `json:"mcp_url" yaml:"mcp_url"`
+	MCPToolAllowlist    string   `json:"mcp_tool_allowlist" yaml:"mcp_tool_allowlist"`
+	MCPToolDenylist     string   `json:"mcp_tool_denylist" yaml:"mcp_tool_denylist"`
 	// Regex allows API requesters to match an auth config by
 	// a string (e.g. coder.com) instead of by it's type.
 	//
 
@@ -23,6 +23,9 @@ const meta: Meta<typeof ExternalAuthSettingsPageView> = {
 					device_code_url: "",
 					display_icon: "",
 					display_name: "GitHub",
+					mcp_url: "",
+					mcp_tool_allowlist: "",
+					mcp_tool_denylist: "",
 				},
 			],
 		},
Original file line number	Diff line number	Diff line change
`@@ -2717,6 +2717,12 @@ func parseExternalAuthProvidersFromEnv(prefix string, environ []string) ([]coder`
`2717`	`2717`	`provider.DisplayName = v.Value`
`2718`	`2718`	`case "DISPLAY_ICON":`
`2719`	`2719`	`provider.DisplayIcon = v.Value`
	`2720`	`+ case "MCP_URL":`
	`2721`	`+ provider.MCPURL = v.Value`
	`2722`	`+ case "MCP_TOOL_ALLOWLIST":`
	`2723`	`+ provider.MCPToolAllowlist = v.Value`
	`2724`	`+ case "MCP_TOOL_DENYLIST":`
	`2725`	`+ provider.MCPToolDenylist = v.Value`
`2720`	`2726`	`}`
`2721`	`2727`	`providers[providerNum] = provider`
`2722`	`2728`	`}`