Exercise 3: Mutation mode and introspection

8. Exercise 3: Mutation mode and introspection

Mutation mode

The MCP server's mutation_mode can be configured for:

No mutations to run (mutation_mode: none, which is the default)
Allowing pre-defined mutation operations through local files, operation collections and PQ but it blocks the LLM from creating ad-hoc mutations (mutation_mode: explicit)
Allowing any mutations to run (mutation_mode: any)

Introspection

You can configure the following MCP server tools to enable introspection capabilities:

introspect: Get the full GraphQL schema
search: Search for types, fields, or other schema elements
validate: Validate GraphQL queries without executing them
execute: Execute GraphQL operations dynamically

By default, all of these tools are disabled. To disable them, set enabled: false for the tools you want to disable, or omit them entirely from the configuration file.

Currently, our MCP server has enabled all the tools, but it would be better to disable the execute tool to prevent the LLM from executing arbitrary queries.

Exercise 3: Configuring mutation mode and introspection (⏳ 5 min)

Goal: Configure the MCP server to only allow pre-defined mutation operations and disable the execute tool.

Steps

Configure the MCP server to only allow pre-defined mutation operations through local files, operation collections and PQ but it blocks the LLM from creating ad-hoc mutations.
mcp/mcp.yaml
overrides:
mutation_mode: explicit

Configure the MCP server to disable the execute tool.

mcp/mcp.yaml

introspection:
  execute:
    enabled: false

Restart the MCP server.

rover dev --supergraph-config supergraph.yaml --router-config router.yaml  --mcp mcp.yaml

Connect to the MCP Inspector. You should see a new AddFunds tool (a mutation) and the absence of the execute tool. Note that AddFunds is only available for logged-in guest users (guest@example.com with password guest456!).

Task!

I've configured the MCP server's mutation mode and disabled the execute tool.