feat: implement --read-only mode with tool filtering

- Adds --read-only CLI flag to restrict OAuth scopes to read-only permissions - Implements dynamic tool filtering to disable tools requiring write permissions when in read-only mode - Updates auth/scopes.py to manage read-only scope mappings - Enhances @require_google_service and handle_http_errors decorators to propagate scope metadata - Updates documentation in README.md
2025-12-24 00:19:28 +00:00
parent a446b72104
commit 0d4394ae27
6 changed files with 113 additions and 25 deletions
--- a/main.py
+++ b/main.py
@@ -118,6 +118,11 @@ def main():
        default="stdio",
        help="Transport mode: stdio (default) or streamable-http",
    )
+    parser.add_argument(
+        "--read-only",
+        action="store_true",
+        help="Run in read-only mode - requests only read-only scopes and disables tools requiring write permissions",
+    )
    args = parser.parse_args()

    # Set port and base URI once for reuse throughout the function
@@ -139,6 +144,8 @@ def main():
        safe_print(f"   🔗 URL: {display_url}")
        safe_print(f"   🔐 OAuth Callback: {display_url}/oauth2callback")
    safe_print(f"   👤 Mode: {'Single-user' if args.single_user else 'Multi-user'}")
+    if args.read_only:
+        safe_print("   🔒 Read-Only: Enabled")
    safe_print(f"   🐍 Python: {sys.version.split()[0]}")
    safe_print("")

@@ -231,9 +238,11 @@ def main():

    wrap_server_tool_method(server)

-    from auth.scopes import set_enabled_tools
+    from auth.scopes import set_enabled_tools, set_read_only

    set_enabled_tools(list(tools_to_import))
+    if args.read_only:
+        set_read_only(True)

    safe_print(
        f"🛠️  Loading {len(tools_to_import)} tool module{'s' if len(tools_to_import) != 1 else ''}:"