Fix: Only add new servers to unrestricted groups by default

aarora79 · aarora79 · commit a6b6672a4a87 · 2025-10-01T18:08:24.000Z
Modified add_server_to_scopes() to only add newly registered servers
to unrestricted groups (mcp-servers-unrestricted/read and execute).
Previously, servers were being added to both unrestricted AND restricted
groups, which violated the principle of least privilege.

Changes:
- registry/utils/scopes_manager.py: Updated sections list in
  add_server_to_scopes() to only include unrestricted groups
- docs/service-management.md: Added documentation explaining the
  default behavior when registering new servers

This ensures new servers are only accessible to users with unrestricted
permissions by default. Administrators can explicitly add servers to
restricted groups using add_server_to_groups() when needed.
diff --git a/docs/service-management.md b/docs/service-management.md
@@ -416,6 +416,14 @@ This complete example demonstrates the full lifecycle of server management using
 
 ## Advanced Scopes Management
 
+### Default Server Registration Behavior
+
+When a new server is registered, it is **automatically added to unrestricted scopes groups only**:
+- `mcp-servers-unrestricted/read`
+- `mcp-servers-unrestricted/execute`
+
+This means that by default, newly registered servers are accessible to users with unrestricted permissions. If you need to add a server to restricted groups or change its access level, use the commands below.
+
 ### Adding Servers to Custom Scopes Groups
 
 You can dynamically add servers to specific scopes groups using the service management script. This is useful for fine-grained access control where you want to assign different servers to different user groups.
diff --git a/registry/utils/scopes_manager.py b/registry/utils/scopes_manager.py
@@ -106,12 +106,10 @@ async def add_server_to_scopes(server_path: str, server_name: str, tools: List[s
         # Create the server entry
         server_entry = _create_server_entry(server_path, tools)
 
-        # Add to all standard scope sections
+        # Add to unrestricted scope sections only
         sections = [
             "mcp-servers-unrestricted/read",
-            "mcp-servers-unrestricted/execute",
-            "mcp-servers-restricted/read",
-            "mcp-servers-restricted/execute"
+            "mcp-servers-unrestricted/execute"
         ]
 
         modified = False
