Read-only by default
Every state-changing tool refuses until a human flips droost.settings.allow_destructive — and the refusal message teaches the exact command.
Footgun-reduction for a trusted local agent — honest about what it is and is not.
Every state-changing tool refuses until a human flips droost.settings.allow_destructive — and the refusal message teaches the exact command.
droost_eval (arbitrary PHP) sits behind a separate allow_eval gate that nothing else shares — nobody flips it by accident.
Destructive tools hard-refuse on any non-CLI transport. They exist over local STDIO through Drush — never over HTTP.
One permission gates the whole MCP surface, so never expose /_mcp on a real site. Droost belongs in require-dev, like Devel.
An agent with the flags on can change your site — that is the point. Intent guardrails (required confirms, missing-WHERE refusals, protected accounts, secret redaction) reduce accidents, not capability. Flip the flags off when the work is done; the server caches them, so reload it in both directions.