Require approval for callable MCP policies when agent is omitted (#2553)

tiffanycitra · web-flow · commit f04ab5519460 · 2026-02-26T15:03:50.000+09:00
diff --git a/src/agents/mcp/server.py b/src/agents/mcp/server.py
@@ -236,7 +236,7 @@ def _get_needs_approval_for_tool(
 
         if callable(policy):
             if agent is None:
-                return False
+                return True
 
             async def _needs_approval(
                 run_context: RunContextWrapper[Any], _args: dict[str, Any], _call_id: str
diff --git a/src/agents/mcp/util.py b/src/agents/mcp/util.py
@@ -240,8 +240,9 @@ def to_function_tool(
 
         The ``agent`` parameter is optional for backward compatibility with older
         call sites that used ``MCPUtil.to_function_tool(tool, server, strict)``.
-        When omitted, this helper preserves the historical behavior and leaves
-        ``needs_approval`` disabled.
+        When omitted, this helper preserves the historical behavior for static
+        policies. If the server uses a callable approval policy, approvals default
+        to required to avoid bypassing dynamic checks.
         """
         invoke_func_impl = functools.partial(cls.invoke_mcp_tool, server, tool)
         effective_failure_error_function = server._get_failure_error_function(
diff --git a/tests/mcp/test_mcp_util.py b/tests/mcp/test_mcp_util.py
@@ -322,6 +322,31 @@ async def test_to_function_tool_legacy_call_without_agent_uses_server_policy():
         pytest.fail(f"Unexpected tool result type: {type(result).__name__}")
 
 
+@pytest.mark.asyncio
+async def test_to_function_tool_legacy_call_callable_policy_requires_approval():
+    """Legacy to_function_tool calls should default to approval for callable policies."""
+
+    server = FakeMCPServer()
+    server.add_tool("legacy_callable_tool", {})
+
+    def require_approval(
+        _run_context: RunContextWrapper[Any],
+        _agent: Agent,
+        _tool: MCPTool,
+    ) -> bool:
+        return False
+
+    server._needs_approval_policy = require_approval  # type: ignore[assignment]
+
+    function_tool = MCPUtil.to_function_tool(
+        MCPTool(name="legacy_callable_tool", inputSchema={}),
+        server,
+        convert_schemas_to_strict=False,
+    )
+
+    assert function_tool.needs_approval is True
+
+
 @pytest.mark.asyncio
 async def test_mcp_tool_failure_error_function_agent_default():
     """Agent-level failure_error_function should handle MCP tool failures."""
