feat(cli): add 'tools approve|reject' for pending tool quarantine (MCP-2919)

[Dumbris]

Summary

Adds CLI commands to approve / reject tools pending tool-level quarantine (Spec 032), so operators can clear pending/changed tools without the Web UI or MCP. Previously only server-level mcpproxy security approve|reject existed; there was no per-tool approve/reject.

mcpproxy tools approve <server:tool> [<server:tool>...]   # approve specific tools
mcpproxy tools approve --server <name> --all              # approve all pending/changed
mcpproxy tools reject  <server:tool> [...]                # block = approve+disable (hide)
mcpproxy tools reject  --server <name> --all

• Accepts the <server>:<tool> format used elsewhere; bare tool names can be scoped with --server.
• reject maps to the block endpoint (atomic approve+disable), mirroring the Web UI "Block".
• -o json|yaml / --json / MCPPROXY_OUTPUT supported via ResolveOutputFormat() + clioutput; default table output prints a concise per-server confirmation.

Wiring

• REST endpoints already existed: POST /api/v1/servers/{id}/tools/approve and .../tools/block.
• cliclient already had ApproveTools; this adds a sibling BlockTools (POST /tools/block, reads data.blocked).
• Client construction follows runSecurityApprove (socket detection + API-key fallback via newSecurityCLIClient); multi-target grouping mirrors runToolsSetEnabled.

Tests (TDD)

• internal/cliclient/client_block_tools_test.go — BlockTools request shape (specific tools, block_all, API error).
• cmd/mcpproxy/tools_approval_test.go — arg parsing: server:tool split, bare-tool --server scoping, --all requires --server, --all rejects positional, mixed colon/flag grouping, no-target guidance.

Verification

• go test ./cmd/mcpproxy/... ./internal/cliclient/... -race — green.
• go build -o mcpproxy ./cmd/mcpproxy — green.
• golangci-lint run --config .github/.golangci.yml (v2) on changed packages — 0 issues.
• Live smoke against a running core:
  • tools approve gcore-mcp-server:cdn_client_config_get → flipped pending → approved.
  • tools approve --server gcore-mcp-server cdn_cdn_resources_ls -o json → structured result.
  • tools reject hugginface:hf_doc_search → tool now approved and disabled:true (block semantics).
  • tools approve --server hugginface --all → safe no-op (0 pending).
  • Validation paths (--all without --server, bare tool without --server, no targets) exit non-zero with guidance.

Docs

• docs/cli-management-commands.md documents both subcommands, flags, examples, and behavior (ENG-9).

Related #MCP-2919

[cloudflare-workers-and-pages]

Deploying mcpproxy-docs with    Cloudflare Pages

Latest commit:	3b92de4
Status:	✅  Deploy successful!
Preview URL:	https://44febbe0.mcpproxy-docs.pages.dev
Branch Preview URL:	https://feat-mcp-2919-tools-approve.mcpproxy-docs.pages.dev

View logs

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

❌ Patch coverage is 50.95541% with 77 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
cmd/mcpproxy/tools_approval.go	44.91%	62 Missing and 3 partials ⚠️
internal/cliclient/client.go	67.56%	6 Missing and 6 partials ⚠️

📢 Thoughts on this report? Let us know!

[github-actions]

📦 Build Artifacts

Workflow Run: View Run
Branch: feat/mcp-2919-tools-approve-reject-cli

Available Artifacts

• archive-darwin-amd64 (28 MB)
• archive-darwin-arm64 (25 MB)
• archive-linux-amd64 (16 MB)
• archive-linux-arm64 (14 MB)
• archive-windows-amd64 (28 MB)
• archive-windows-arm64 (25 MB)
• frontend-dist-pr (0 MB)
• installer-dmg-darwin-amd64 (21 MB)
• installer-dmg-darwin-arm64 (19 MB)

How to Download

Option 1: GitHub Web UI (easiest)

1. Go to the workflow run page linked above
2. Scroll to the bottom "Artifacts" section
3. Click on the artifact you want to download

Option 2: GitHub CLI

gh run download 27810813887 --repo smart-mcp-proxy/mcpproxy-go

Note: Artifacts expire in 14 days.

[mcpproxy-gatekeeper]

Approved via Claude Code review (MCP-2919). CLI tools approve|reject: per-server arg grouping, --all requires --server, reject=block endpoint; cliclient BlockTools mirrors ApproveTools with correct payloads. go build OK; go test -race ./cmd/mcpproxy ./internal/cliclient pass; golangci-lint v2 0 issues; CI 34/34 green.