Skip to content

fix: Settings no longer shows an unnecessary third-party tools permission#1020

Merged
hatayama merged 5 commits into
v3-betafrom
feature/hatayama/remove-third-party-tools-toggle
May 1, 2026
Merged

fix: Settings no longer shows an unnecessary third-party tools permission#1020
hatayama merged 5 commits into
v3-betafrom
feature/hatayama/remove-third-party-tools-toggle

Conversation

@hatayama
Copy link
Copy Markdown
Owner

@hatayama hatayama commented May 1, 2026
edited by coderabbitai Bot
Loading

Summary

  • Settings no longer shows the obsolete Allow Third Party Tools permission.
  • Custom tools remain available by default, with individual tool toggles still available when users want to hide specific tools.

User Impact

  • Users no longer need to understand or enable a separate third-party tools permission.
  • The CLI status row now uses the shorter CLI label instead of uloop-cli, making the Configuration section easier to scan.

Changes

  • Removed the third-party permission toggle, disabled-state handling, and stale permission persistence.
  • Kept legacy settings cleanup so old allowThirdPartyTools entries are removed when settings are rewritten.
  • Updated English and Japanese documentation to describe the current behavior.

Verification

  • uloop compile --project-path /Users/a12115/ghq/hatayama/unity-cli-loop
  • uloop run-tests --project-path /Users/a12115/ghq/hatayama/unity-cli-loop --test-mode EditMode --filter-type regex --filter-value "io\.github\.hatayama\.uLoopMCP\.(ULoopSettingsTests|ToolSettingsSectionTests)"
  • uloop run-tests --project-path /Users/a12115/ghq/hatayama/unity-cli-loop --test-mode EditMode --filter-type regex --filter-value "io\.github\.hatayama\.uLoopMCP\.(ToolSettingsSectionTests|McpEditorWindowRefreshPolicyTests|ULoopSettingsTests)"
  • uloop run-tests --project-path /Users/a12115/ghq/hatayama/unity-cli-loop --test-mode EditMode --filter-type regex --filter-value "io\.github\.hatayama\.uLoopMCP\.(ULoopSettingsTests|ToolSettingsSectionTests|McpEditorWindowRefreshPolicyTests)"

Overview

This PR removes the obsolete "Allow Third Party Tools" permission system from the settings and UI, transitioning custom tools to always-on availability by default. The change simplifies the settings interface while retaining per-tool visibility controls through individual tool toggles. Additionally, the CLI status label was shortened from "uloop-cli" to "CLI" for improved UI readability.

Key Changes

Settings Architecture

  • Removed field: allowThirdPartyTools from ULoopSettingsData record
  • Removed methods: GetAllowThirdPartyTools() and SetAllowThirdPartyTools() from ULoopSettings
  • Legacy cleanup: Extended LoadSettings() to detect and purge legacy allowThirdPartyTools entries from persisted JSON, forcing re-save when detected

Security & Access Control

  • Simplified logic: McpSecurityChecker.IsToolAllowedByAttribute() now always allows third-party tools instead of conditionally gating them
  • Removed third-party checks: Eliminated assembly-name-based classification and permission validation against GetAllowThirdPartyTools()
  • Maintained controls: Per-tool toggles remain for individual visibility management

User Interface Removal

  • Editor window: Removed OnAllowThirdPartyChanged event subscription and UpdateAllowThirdPartyTools() method from McpEditorWindow
  • Data model: Removed AllowThirdPartyTools property and constructor parameter from ToolSettingsSectionData
  • UI component: Deleted allow-third-party toggle, label, and event binding from ToolSettingsSection
  • Public API: Removed OnAllowThirdPartyChanged event from McpEditorWindowUI
  • Styling: Deleted .mcp-tool-list-row--disabled CSS class that previously dimmed restricted tools
  • Markup: Removed allow-third-party permission section from McpEditorWindow.uxml template

UI Polish

  • CLI status label: Changed from "uloop-cli:" to "CLI:" in three CLI status states (checking, installed with version, not installed)

Test Updates

  • Removed allowThirdPartyTools initialization from test fixture helpers across McpEditorWindowRefreshPolicyTests, ToolSettingsSectionTests, and ULoopSettingsTests
  • Updated test assertions to verify legacy field cleanup in persisted JSON
  • Removed UI construction for allow-third-party toggle in test roots

Documentation

  • English: Removed "Allow Third Party Tools" requirement language; clarified custom tools are always available with per-tool toggle control
  • Japanese: Updated README_ja.md and Packages/src/README_ja.md to reflect always-on behavior and removed permission requirement guidance
  • Scope refinement: Narrowed .uloop/settings.permissions.json documentation to describe only dynamic code execution security level

Impact

  • Simpler user experience: No separate enablement step required for custom tools
  • Cleaner settings UI: Fewer permission controls to navigate
  • Backward compatibility: Legacy settings are automatically cleaned up on next save
  • Retained flexibility: Individual tool visibility remains controllable via per-tool toggles

hatayama added 4 commits May 2, 2026 05:15
@hatayama
Always allow third-party tools
8542b1f 
Third-party tool access no longer needs a separate permission toggle, so remove the editor control and normalize persisted settings to keep custom tools available. Update docs and tests to match the always-on behavior.
@hatayama
Shorten CLI status label
c81fda1 
Use the concise CLI prefix in the settings window so the configuration status row matches the requested wording.
@hatayama
Remove third-party tool disable state
d819962 
Third-party tools are now always available, so remove the leftover UI state that could mark that group as disabled. This keeps the settings list behavior aligned with the always-on permission model.
@hatayama
Remove stale third-party permission settings
d0d81ec 
Third-party tools no longer have a separate permission gate, so remove the persisted setting, security checker branch, and related docs. Keep only legacy JSON cleanup so old allowThirdPartyTools entries are stripped when settings are rewritten.
@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented May 1, 2026
edited
Loading

Warning

Rate limit exceeded

@hatayama has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 44 minutes and 48 seconds before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: edc89d78-68f5-4f0e-9407-d9a2b431f31b

📥 Commits

Reviewing files that changed from the base of the PR and between d0d81ec and 30b3d6d.

📒 Files selected for processing (2)
  • Assets/Tests/Editor/ULoopSettingsTests.cs
  • Packages/src/Editor/Config/ULoopSettings.cs
📝 Walkthrough

Walkthrough

Removes the "Allow Third Party Tools" feature and all related code paths, including settings accessors, UI controls, security restrictions, and view data structures. Custom tools remain always available; visibility is now controlled exclusively through per-tool toggles.

Changes

Cohort / File(s) Summary
Settings & Data Models
Packages/src/Editor/Config/ULoopSettings.cs, Packages/src/Editor/Config/ULoopSettingsData.cs		 Removes allowThirdPartyTools field and getter/setter methods; adds legacy field detection to purge the setting from stored JSON during load if present.
Security Logic
Packages/src/Editor/Security/McpSecurityChecker.cs		 Removes third-party detection and permission checks; IsToolAllowedByAttribute now unconditionally allows tools with SecuritySettings.None, and GetBlockReason no longer varies reason based on third-party status.
UI Models & Controllers
Packages/src/Editor/UI/McpEditorModel.cs, Packages/src/Editor/UI/McpEditorWindow.cs, Packages/src/Editor/UI/UIToolkit/McpEditorWindowUI.cs		 Removes UpdateAllowThirdPartyTools method, OnAllowThirdPartyChanged event subscription/callback, and stops passing third-party setting to ToolSettingsSectionData.
UI View Data
Packages/src/Editor/UI/McpEditorWindowViewData.cs		 Removes AllowThirdPartyTools property and constructor parameter from ToolSettingsSectionData record.
UI Components
Packages/src/Editor/UI/UIToolkit/Components/ToolSettingsSection.cs, Packages/src/Editor/UI/UIToolkit/Components/CliSetupSection.cs		 Removes third-party toggle/label elements, OnAllowThirdPartyChanged event, IsThirdParty/CanToggle row metadata, and disable-state styling; updates CLI status text prefix from "uloop-cli:" to "CLI:".
UI Stylesheets & Templates
Packages/src/Editor/UI/UIToolkit/McpEditorWindow.uss, Packages/src/Editor/UI/UIToolkit/McpEditorWindow.uxml		 Removes .mcp-tool-list-row--disabled CSS rule and "Allow Third Party Tools" permission section (toggle, labels); updates CLI status initial text.
Tests
Assets/Tests/Editor/McpEditorWindowRefreshPolicyTests.cs, Assets/Tests/Editor/ToolSettingsSectionTests.cs, Assets/Tests/Editor/ULoopSettingsTests.cs		 Removes allowThirdPartyTools initialization and assertions; adjusts test fixtures and UI root construction to omit third-party controls; adds file-content checks confirming legacy field absence.
Documentation
Packages/src/README.md, Packages/src/README_ja.md, README.md, README_ja.md		 Removes references to "Allow Third Party Tools" requirement; clarifies custom tools are always available and visibility is controlled via per-tool toggles; narrows settings.permissions.json scope to dynamic code security only.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

  • PR #992: Directly removes the allowThirdPartyTools field and related UI components (ToolSettingsSectionData, ToolSettingsSection), mirroring core logic deletions in this PR.
  • PR #834: Modifies the same UI and settings code paths (ULoopSettings, ToolSettingsSection, McpEditorWindow) but in opposite direction (adds/relies on third-party feature).
  • PR #836: Alters the same security and settings surfaces (ULoopSettings, McpSecurityChecker, ToolSettingsSection) and impacts how tool visibility/permissions are represented.
🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 14.29% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: removal of the third-party tools permission from Settings, which is consistently reflected across all modified files (UI components, settings persistence, security checks, and documentation).
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feature/hatayama/remove-third-party-tools-toggle

Warning

Review ran into problems

🔥 Problems

Timed out fetching pipeline failures after 30000ms

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share
Review rate limit: 0/1 reviews remaining, refill in 44 minutes and 48 seconds.

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai Bot reviewed May 1, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
Packages/src/Editor/Config/ULoopSettings.cs (1)

164-173: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Keep the legacy tool-toggle fields in the precedence probe.

LegacyFileHasSecurityFields() now ignores enableTestsExecution and allowMenuItemExecution, but MigrateFromLegacySettings() still relies on that same legacy JSON to migrate those values into per-tool toggles. On direct upgrades where UserSettings/UnityMcpSettings.json still has those fields and .uloop/settings.security.json exists with stale defaults, this change lets the stale .uloop file win and drops the user's old run-tests / menu-item disablement.

Proposed fix 
         private static bool LegacyFileHasSecurityFields()
         {
             if (!File.Exists(LegacySettingsFilePath))
             {
                 return false;
             }

             string json = File.ReadAllText(LegacySettingsFilePath);
             return json.Contains($"\"{LEGACY_ALLOW_THIRD_PARTY_TOOLS_FIELD}\"")
+                || json.Contains($"\"{nameof(LegacySecuritySettingsProbe.enableTestsExecution)}\"")
+                || json.Contains($"\"{nameof(LegacySecuritySettingsProbe.allowMenuItemExecution)}\"")
                 || json.Contains($"\"{nameof(LegacySecuritySettingsProbe.dynamicCodeSecurityLevel)}\"");
         }
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@Packages/src/Editor/Config/ULoopSettings.cs` around lines 164 - 173,
LegacyFileHasSecurityFields() currently only checks for
LEGACY_ALLOW_THIRD_PARTY_TOOLS_FIELD and
LegacySecuritySettingsProbe.dynamicCodeSecurityLevel, which causes
MigrateFromLegacySettings() to miss legacy enableTestsExecution and
allowMenuItemExecution toggles; update LegacyFileHasSecurityFields() to also
detect the legacy JSON keys for enableTestsExecution and allowMenuItemExecution
(e.g. check json.Contains($"\"enableTestsExecution\"") and
json.Contains($"\"allowMenuItemExecution\"") or use the actual constant/nameof
values if present), so MigrateFromLegacySettings() can still read and migrate
those per-tool settings using LegacySettingsFilePath and the existing migration
logic.
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@Packages/src/Editor/Config/ULoopSettings.cs`:
- Around line 164-173: LegacyFileHasSecurityFields() currently only checks for
LEGACY_ALLOW_THIRD_PARTY_TOOLS_FIELD and
LegacySecuritySettingsProbe.dynamicCodeSecurityLevel, which causes
MigrateFromLegacySettings() to miss legacy enableTestsExecution and
allowMenuItemExecution toggles; update LegacyFileHasSecurityFields() to also
detect the legacy JSON keys for enableTestsExecution and allowMenuItemExecution
(e.g. check json.Contains($"\"enableTestsExecution\"") and
json.Contains($"\"allowMenuItemExecution\"") or use the actual constant/nameof
values if present), so MigrateFromLegacySettings() can still read and migrate
those per-tool settings using LegacySettingsFilePath and the existing migration
logic.
ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: a8282ced-b3a3-4938-a222-4fbc2064b637

📥 Commits

Reviewing files that changed from the base of the PR and between 4c76e95 and d0d81ec.

📒 Files selected for processing (18)
  • Assets/Tests/Editor/McpEditorWindowRefreshPolicyTests.cs
  • Assets/Tests/Editor/ToolSettingsSectionTests.cs
  • Assets/Tests/Editor/ULoopSettingsTests.cs
  • Packages/src/Editor/Config/ULoopSettings.cs
  • Packages/src/Editor/Config/ULoopSettingsData.cs
  • Packages/src/Editor/Security/McpSecurityChecker.cs
  • Packages/src/Editor/UI/McpEditorModel.cs
  • Packages/src/Editor/UI/McpEditorWindow.cs
  • Packages/src/Editor/UI/McpEditorWindowViewData.cs
  • Packages/src/Editor/UI/UIToolkit/Components/CliSetupSection.cs
  • Packages/src/Editor/UI/UIToolkit/Components/ToolSettingsSection.cs
  • Packages/src/Editor/UI/UIToolkit/McpEditorWindow.uss
  • Packages/src/Editor/UI/UIToolkit/McpEditorWindow.uxml
  • Packages/src/Editor/UI/UIToolkit/McpEditorWindowUI.cs
  • Packages/src/README.md
  • Packages/src/README_ja.md
  • README.md
  • README_ja.md
💤 Files with no reviewable changes (8)
  • Assets/Tests/Editor/McpEditorWindowRefreshPolicyTests.cs
  • Packages/src/Editor/Config/ULoopSettingsData.cs
  • Packages/src/Editor/UI/UIToolkit/McpEditorWindow.uss
  • Packages/src/Editor/UI/UIToolkit/McpEditorWindowUI.cs
  • Packages/src/Editor/UI/McpEditorWindowViewData.cs
  • Assets/Tests/Editor/ToolSettingsSectionTests.cs
  • Packages/src/Editor/UI/McpEditorModel.cs
  • Packages/src/Editor/UI/McpEditorWindow.cs

cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed May 1, 2026
View reviewed changes
Copy link
Copy Markdown

@cubic-dev-ai cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 18 files

@hatayama
Preserve legacy tool-toggle migrations
30b3d6d 
Keep legacy run-tests and menu-item fields in the migration trigger so direct upgrades do not let stale extracted security defaults override the user's old tool-toggle settings.
@hatayama
Copy link
Copy Markdown
Owner Author

hatayama commented May 1, 2026

Addressed the CodeRabbit outside-diff finding in 30b3d6d. LegacyFileHasSecurityFields now treats enableTestsExecution and allowMenuItemExecution as migration triggers, and the regression test covers stale settings.security.json plus a legacy run-tests disablement.

@hatayama hatayama merged commit 1779170 into v3-beta May 1, 2026
8 checks passed
@hatayama hatayama deleted the feature/hatayama/remove-third-party-tools-toggle branch May 1, 2026 20:44
@github-actions github-actions Bot mentioned this pull request May 1, 2026
Closed
This was referenced May 10, 2026
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@coderabbitai coderabbitai[bot] coderabbitai[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hatayama