For chat tools that read data, what the user actually wants to approve is not the read request but the response. For example a Github issue may have content that's invisible when seeing the rendered issue and would only be detectable if approval happens after retrieving it and before giving it to the model. Same deal with the fetch tool.

For MCP land, we currently prompt pre-approval for tools that have readOnlyHint or openWorldHint. Once this happens I will not request pre-approval for readOnlyHint and only post-approval for openWorldHint.

Downside is that I think for fetch we kind of want to approve both cases, at least for untrusted domains, which is a little annoying. Likewise tools that are open world but not readonly may 'properly' need two approvals.

cc @Tyriar @TylerLeonhardt for discussion