GC-201a · Module 2

Tool Permissions & Filtering

3 min read

Gemini CLI's tool system is permission-controlled. By default, potentially dangerous operations — shell commands, file writes, file deletions — require your approval. The approval prompt shows what tool is being called, with what arguments, and waits for your explicit yes. This is the right default. But for trusted workflows in trusted environments, you need finer control than approve-everything or approve-nothing.

The includeTools and excludeTools arrays in settings.json control which tools are available to the model. includeTools creates a whitelist — only the listed tools are available. excludeTools creates a blacklist — everything except the listed tools is available. This is critical for MCP servers that expose dozens of tools when you only need three. Without filtering, every tool description consumes context tokens and adds noise to the model's decision-making.

{
  "mcpServers": {
    "github": {
      "command": "npx",
      "args": ["-y", "@modelcontextprotocol/server-github"],
      "includeTools": [
        "create_pull_request",
        "list_issues",
        "get_file_contents",
        "create_issue_comment"
      ]
    }
  },
  "trustedFolders": [
    "/home/user/projects/my-trusted-app"
  ]
}

Do This

Use includeTools to whitelist only the MCP tools you actually need
Set trustedFolders for projects where you want auto-approved file operations
Review /tools output to understand what is consuming your context

Avoid This

Leave all MCP tools enabled when you only use 3 of 30 available tools
Use --yolo in production environments to skip all approvals
Ignore tool count — each tool definition eats context tokens whether used or not