Skip to main content

The safety model

Footgun-reduction for a trusted local agent — honest about what it is and is not.

Read-only by default

Every state-changing tool refuses until a human flips droost.settings.allow_destructive — and the refusal message teaches the exact command.

Eval is its own flag

droost_eval (arbitrary PHP) sits behind a separate allow_eval gate that nothing else shares — nobody flips it by accident.

CLI-only danger tier

Destructive tools hard-refuse on any non-CLI transport. They exist over local STDIO through Drush — never over HTTP.

Local means local

One permission gates the whole MCP surface, so never expose /_mcp on a real site. Droost belongs in require-dev, like Devel.

Not a sandbox — a contract

An agent with the flags on can change your site — that is the point. Intent guardrails (required confirms, missing-WHERE refusals, protected accounts, secret redaction) reduce accidents, not capability. Flip the flags off when the work is done; the server caches them, so reload it in both directions.