Rename MCP skills to toolsets and support finer-grained tool access controls

[dcramer]

Summary

Rename the current skill-based MCP authorization/tool exposure model to "toolsets" and extend it with more granular controls for which tools are exposed.

Evidence

• The repository currently presents MCP capability groups as "skills" in code, docs, CLI flags, environment variables, and the OAuth approval UI.
• packages/mcp-core/src/skills.ts defines the current skill registry: inspect, seer, docs, triage, and project-management.
• packages/mcp-core/src/server.ts filters registered tools from context.grantedSkills.
• The stdio transport supports coarse controls via --skills, MCP_SKILLS, --disable-skills, and MCP_DISABLE_SKILLS.
• The remote OAuth approval dialog renders selectable skills from skillDefinitions.
• Validation performed: inspected the current skills implementation, docs, CLI configuration, OAuth approval UI, and duplicate-search candidates. No runtime tests were run because this is a feature/design request.

Impact

Users and maintainers who configure MCP permissions currently interact with "skills" terminology and coarse-grained bundles. Renaming them to "toolsets" may better match common MCP terminology, while finer-grained controls could reduce unnecessary tool exposure and token overhead.

Next Steps

• Decide the desired public terminology and migration path from "skills" to "toolsets".
• Define the granularity model: named toolsets only, per-tool allow/deny lists, or both.
• Update core types, generated definitions, OAuth approval UI, stdio flags/env vars, docs, and tests consistently.
• Preserve backward compatibility for existing skills/grantedSkills tokens or configuration where needed.

---

Original Report

Original issue text

Original Title

Rename skill-based permissions to toolsets and add more granular controls

Original Body

No body provided.