Configuring which features a server exposes is gated by the Manage feature provisioning settings capability. If you don’t see provisioning controls on a server within a gateway, your role doesn’t have it — capabilities are assigned per role and fully configurable, so access depends on the capability, not on any fixed role name. See the capabilities reference.
Why govern features: the over-provisioning problem
Every tool a server exposes is described to the model in metadata — a name, a description, and an input schema — and that metadata is read straight into the model’s context on every request. Servers routinely expose far more tools than any one task needs (a single server’s tool count can swing from dozens to over a hundred between releases). Exposing all of them has three costs at once:- Cost. Tool metadata is frequently many times larger than the user’s actual prompt, and you pay for those tokens on every call.
- Accuracy. Irrelevant tool definitions pull the model off course; a tighter, relevant toolset measurably improves how reliably it picks the right tool.
- Security. Every exposed tool is attack surface — a capability the agent could be tricked into calling, and a description that could carry a hidden instruction.
The three provisioning modes
For each server on a gateway, and independently for each feature type (tools, prompts, resources), you choose one of three schemes:- Allowing all — every capability of that type passes through. Convenient, and the scheme a server gets when first assigned to a gateway, but it exposes the full surface.
- Allow if conditions are met — only capabilities matching an explicit allowlist pass; everything else is hidden and uncallable. This is least privilege in practice.
- Blocking all — no capability of that type is exposed. Use this to switch off, say, prompts or resources entirely while keeping tools.
Pinning a capability by its metadata
Under Allow selected, each allowlist entry is a condition that matches a capability on the fields you choose — its name, its title, and its description. The matching is exact, and it combines in two directions:- Within one condition, all the fields you specify must match (a logical AND). A condition that pins both name and description matches only a capability whose name and description are exactly what you approved.
- Across multiple conditions, any one match is enough (a logical OR). The first condition a capability satisfies admits it.
A defense against tool poisoning and rug pulls
Pinning on the description is the control that neutralizes two specific MCP attacks:- Tool poisoning — a server embeds hidden instructions in a tool’s description or schema. Because that text enters the model’s context, a poisoned description is effectively untrusted code aimed at your agent.
- Rug pulls — a tool that was benign when you approved it is silently changed afterward, so its description (or behavior) turns malicious without any visible signal.
Be precise about the mechanism: this protection is the allowlist condition no longer matching, which filters the changed capability out. It is enforcement by exact match, not a separate change-detection system that diffs against a stored snapshot or notifies you that a specific field changed. The security outcome — unreviewed metadata never reaches the model — is the same, and every filtered or blocked capability is recorded in your logs (see below).
Why an allowlist, not a denylist
MCP Manager filters by allowlist — you name what passes, and everything else is hidden. It deliberately does not offer the inverse: a denylist that exposes every capability except a named few you block. A denylist reads as convenient (“expose this server, just hide itssend_email tool”), but it fails open the moment the upstream server changes, because the block is anchored to capability metadata the server itself controls:
- A renamed capability escapes the block. Block
send_email, and if the server later renames it todispatch_email, your rule no longer matches — the tool passes the gateway unblocked. - A newly added capability is exposed unreviewed. If the server adds
bulk_send_email, a denylist that names onlysend_emaillets the new tool through with no chance for you to see it first.
How a governed decision appears in logs
Feature-governance decisions are recorded so you can audit them. In your logs, a capability removed from a list because it didn’t match the allowlist is logged with the typegateway_feature_filtered, and a directly attempted call to a disallowed capability is logged as gateway_feature_blocked. This lets you confirm what a gateway is exposing and catch the moment a previously-passing tool stops matching — for example, when an upstream server renames or rewrites it.
Feature governance versus runtime rules
Feature governance and runtime protections are complementary layers, and it helps to keep them distinct:- Feature governance decides which capabilities exist on the gateway — applied to tools, prompts, and resources, before any call is made. It is about exposure and least privilege.
- Runtime rules scan the content of allowed calls — applied to tool calls and results — and can block, redact, or rewrite them in flight.
Further reading
Runtime Protections
The complementary layer that scans the content of the calls governance allows through.
Curating exposed tools
How a gateway presents one filtered, namespaced toolset across many servers.
Feature Provisioning
The how-to for building allowlists and pinning tools by their metadata.
Viewing logs
The
gateway_feature_filtered and gateway_feature_blocked log types, and the full column reference.External sources
MCP tools specification
How tools, their descriptions, and schemas are defined in the protocol.

