feat(ai-mcp): block MCP server autostart in untrusted workspaces

[ndoschek]

What it does

Resolves GH-16872

This PR integrates workspace trust into the MCP autostart logic:

• MCP servers defined at the workspace/folder scope are blocked from autostarting in untrusted workspaces
• User-level MCP servers continue to start regardless of the trust state, as they are user-controlled
• When workspace trust is granted, previously blocked servers are automatically started
• When trust is revoked, workspace-scoped servers are stopped

Additionally, this introduces a WorkspaceRestrictionContribution API, allowing packages to contribute information about restricted features to the "Restricted Mode" status bar tooltip.

Remark: This might be replaced later on by a separate Restricted Mode view widget to control different functions and give better overview later on, but for now the information should be sufficient in the status bar item tooltip.

How to test

1. Create a new test folder with .theia/settings.json containing an mcp server definition, e.g.:

     {
       "ai-features.mcp.mcpServers": {
          "Context7": {
             "type": "http",
             "serverUrl": "https://mcp.context7.com/mcp",
             "autostart": true
          },
       }
     }

2. Open the folder in Theia - workspace trust dialog should appear
3. Choose "Don't Trust"
4. Open the AI Configuration view (Alt+a) and verify the MCP server does NOT start
5. Check the "Restricted Mode" status bar item tooltip: it should list the blocked MCP server(s)
6. Grant trust via the status bar item: verify the MCP server starts automatically
7. Also verify that user-level MCP servers (in user settings) still start regardless of trust state
8. Optional: You can also toggle the trust state via the command Manage Workspace Trust

Follow-ups

• Consider moving restricted mode details to a dedicated view widget for better overview and possible actions (e.g., selectively enabling features). The tooltip seems to be sufficient for now.

Breaking changes

• This PR introduces breaking changes and requires careful review. If yes, the breaking changes section in the changelog has been updated.

Attribution

Review checklist

• As an author, I have thoroughly tested my changes and carefully followed the review guidelines
• User-facing text is internationalized using the nls service (for details, please see the Internationalization/Localization section in the Coding Guidelines)

Reminder for reviewers

• As a reviewer, I agree to behave in accordance with the review guidelines

[colin-grant-work]

Suggested change

	`The workspace trust feature is currently under development in Theia.
	If you trust the authors, code in this folder may be executed.
	If not, some features will be disabled. Please note that not all features are yet integrated with workspace trust (e.g., debug, tasks).
	Check the 'Restricted Mode' indicator in the status bar for details.`
	`If you trust the authors, code in this folder may be executed.
	If not, some features will be disabled.
	The workspace trust feature is currently under development in Theia; not all features are integrated with workspace trust yet.
	Check the 'Restricted Mode' indicator in the status bar for details.`

[colin-grant-work]

I think it makes sense that these are the servers we'd really want to make sure don't autostart, but maybe it would make sense not to autostart any MCP servers, even though specified in user scope if workspace trust is denied? Basically, it's hard to know how the servers / LLM's using them might interact with malicious content in a workspace, so from a security perspective, it may be better to just block the autostart feature entirely? Particularly if the user can manually start any they're fully confident in.

[ndoschek]

Thanks, that's a good point! I've updated it to block all MCP server autostart when workspace trust is denied. Users can still manually start servers they trust.

[colin-grant-work]

Changes look good 👍