feat: add toolsets for filterting tools

[surian]

terraform-mcp-server has a feature to filter tools to enable.

This PR is implementing this feature on vault-mcp-server.

[Copilot]

Pull request overview

Adds tool filtering support to vault-mcp-server, allowing operators to enable either groups of tools (“toolsets”) or an explicit allowlist of individual tools when registering MCP tools.

Changes:

• Introduces pkg/toolsets with toolset definitions, tool-to-toolset mapping, and validation/expansion helpers (all, default, concrete toolsets).
• Updates CLI to accept --toolsets and --tools, parse/validate inputs, and pass the enabled set into tool registration.
• Updates tool registration to conditionally register tools based on the enabled toolsets/tools; adds tests and README documentation.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
pkg/toolsets/toolsets.go	Defines toolset names, default toolsets, validation/cleaning, and help text generation.
pkg/toolsets/mapping.go	Adds tool-to-toolset mapping and the core IsToolEnabled logic, plus individual-tool mode.
pkg/toolsets/toolsets_test.go	Unit tests for toolset helpers (defaults, cleaning, expansion, help).
pkg/toolsets/mapping_test.go	Unit tests for tool enabling logic and mapping completeness.
pkg/tools/tools.go	Switches to conditional registration via toolsets.IsToolEnabled(...).
cmd/vault-mcp-server/main.go	Parses --toolsets / --tools, wires enabled tool configuration into server startup.
cmd/vault-mcp-server/init.go	Adds persistent CLI flags for tool filtering with generated help text.
README.md	Documents tool filtering and updates usage/examples.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The mutual-exclusion check for --tools vs --toolsets will always trigger because toolsets is a persistent flag with default value "all" (so toolsetsFlag is never empty even when the user did not set it). This makes --tools=... unusable unless the user also overrides --toolsets to default, which contradicts the intent.

Consider checking whether the toolsets flag was explicitly set (e.g., Flags().Changed("toolsets") / PersistentFlags().Changed("toolsets") or inspecting the specific FlagSet where it was defined) instead of comparing the resolved value against empty/default strings.

Suggested change

	// Ensure --toolsets is not also set
	toolsetsFlag, _ := cmd.Flags().GetString("toolsets")
	if toolsetsFlag == "" {
	toolsetsFlag, _ = cmd.Root().PersistentFlags().GetString("toolsets")
	}
	if toolsetsFlag != "" && toolsetsFlag != "default" {
	// Ensure --toolsets is not also explicitly set
	toolsetsSet := cmd.Flags().Changed("toolsets") || cmd.Root().PersistentFlags().Changed("toolsets")
	if toolsetsSet {

[Copilot]

The new Docker examples for --toolsets / --tools omit the required Vault connection env vars (e.g., VAULT_ADDR, VAULT_TOKEN) and transport settings used in the preceding command, so as written they won’t successfully start a functional server. Consider showing these flags as additions to the existing docker run ... -e VAULT_ADDR=... -e VAULT_TOKEN=... example (or explicitly noting that the same env/network flags are still required).

Suggested change

	# Filter tools (optional)
	docker run -i --rm vault-mcp-server:dev --toolsets=sys,kv
	docker run -i --rm vault-mcp-server:dev --tools=read_secret,list_mounts
	# Filter tools (optional; same network/env settings as above)
	docker run --network=mcp -e VAULT_ADDR='http://vault-dev:8200' -e VAULT_TOKEN='<your-token-from-last-step>' -e TRANSPORT_MODE='http' -i --rm vault-mcp-server:dev --toolsets=sys,kv
	docker run --network=mcp -e VAULT_ADDR='http://vault-dev:8200' -e VAULT_TOKEN='<your-token-from-last-step>' -e TRANSPORT_MODE='http' -i --rm vault-mcp-server:dev --tools=read_secret,list_mounts