Show and tell: MCP Trust Pack — policy, scope leases, and approval receipts for MCP tool calls #2
Replies: 4 comments
-
|
The split I would make explicit is between approval UX and execution authority. For state-changing MCP calls, I would avoid treating
The gap between For policy shape, code-as-policy is a good starting point for expressiveness, but I would still want the decision output to be small and portable: action class, target boundary, principal/run id, policy id/version, approval or lease id, payload digest/redacted args, expiry, and observed result. If that envelope is stable, teams can begin with TypeScript rules and later add a DSL without changing the audit model. The other useful rule is downgrade-on-unknown: if a tool cannot describe side-effect class or target scope in a typed way, treat it as unknown mutation rather than letting natural-language tool descriptions decide the risk level. Disclosure: I work on Armorer Labs. |
Beta Was this translation helpful? Give feedback.
-
|
Strong agreement on most of this, and you're correctly pointing at Already in
Real gaps:
On the Comments on RFC #7 welcome — particularly on whether Disclosure: I maintain wasmagent-js, the project being discussed. |
Beta Was this translation helpful? Give feedback.
-
|
I would make The reason is that
If the top-level mode becomes an open string too early, downstream tools cannot tell whether Where I would keep flexibility is the evidence envelope attached to the mode. For example, a bounded lease can carry So my bias is: closed-set Disclosure: I work on Armorer Labs. |
Beta Was this translation helpful? Give feedback.
-
|
Adopting this framing verbatim, and it strengthens the v0.3 decision. The argument that The split you are describing — closed-set mode on top, typed
The One addition the v0.3 schema will carry that I want to flag: Disclosure: I maintain wasmagent-js, the project being discussed. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Show and tell: MCP Trust Pack — policy, scope leases, and approval receipts for MCP tool calls
Following up on last week's AEP post — this one is about the layer that runs before the tool executes.
@wasmagent/mcp-firewalland@wasmagent/mcp-gatewayadd a full security control plane to MCP tool calls: identity propagation, tool vetting, policy evaluation, consent tracking, taint marking, scope leases, and approval receipts.What it looks like
Four layers in one
evaluate()call: vetting → policy → consent → taint.New in v0.2: ScopeLease and ApprovalReceipt
ScopeLease — time-bounded permission grant for state-changing tools. Prevents indefinite privilege accumulation:
ApprovalReceipt — immutable record of a human approving a high-risk action:
Both are recorded in the
AEPRecord— so the audit trail shows not just what ran, but what was explicitly authorized and when.Repo
packages/mcp-firewall(stable)packages/mcp-gateway(stable)Questions:
"deny"and"ask_user"that we're not covering?Beta Was this translation helpful? Give feedback.
All reactions