MCP Gateway Policy Pack
The product bet
Agentic remediation cannot scale on prompt discipline alone. Enterprise buyers need a boring answer to a hard question: “What prevents this agent from using the wrong tool, touching the wrong file, or continuing after its scope has changed?”
The policy pack is that answer. It makes the site more than a library of instructions by creating a machine-readable layer that can sit between AI agents and enterprise systems:
- Agents get a simple decision contract instead of paragraphs of policy.
- Gateways get explicit scopes, path limits, labels, and runtime kill signals.
- Reviewers get evidence requirements that are consistent across tools.
- Platform teams get one artifact they can pin, diff, and promote.
This is the shape a buyer can underwrite: recipes for adoption, manifests for governance, policy for enforcement, and evidence for audit.
What was added
The policy pack is generated from the workflow control-plane manifest:
data/policy/mcp-gateway-policy.json- the generated policy bundle.scripts/generate_mcp_gateway_policy.py- a dependency-free generator with--checkmode for CI drift detection.scripts/evaluate_mcp_gateway_decision.py- a dependency-free runtime evaluator that turns the generated policy into per-call decisions.recipes_mcp_gateway_policy- an MCP tool that exposes the pack to connected agents and gateways.recipes_evaluate_mcp_gateway_decision- an MCP tool that lets an agent host or gateway evaluate one runtime request against the pack.
Run it from the repo root:
python3 scripts/generate_mcp_gateway_policy.py
python3 scripts/generate_mcp_gateway_policy.py --checkGitHub Actions runs the check before the Hugo build, so a workflow manifest cannot change without updating the generated enforcement contract.
Policy decisions
Every workflow policy defaults to deny. A gateway should allow only
the declared decisions:
| Decision | Meaning |
|---|---|
allow | Read-only context access inside the declared MCP namespace. |
allow_scoped_branch | Write only to the workflow branch prefix and declared file scope. |
allow_scoped_ticket | Write workflow evidence or triage notes only to declared ticket systems. |
hold_for_approval | Pause and require a typed human approval record before continuing. |
deny | Fail closed for undeclared workflows, tools, paths, hosts, or gates. |
kill_session | Disable the active agent session when a runtime kill signal fires. |
The generated pack also carries the runtime attributes an enforcer needs to make those decisions: workflow ID, agent ID, run ID, tool namespace, access mode, branch name, changed paths, diff size, gate phase, and human approval record.
How gateways use it
An MCP gateway or agent runtime should apply the pack as a pre-call and mid-run control:
- Load the policy pack at startup and pin its
source_manifest.sha256. - Match the incoming run to
workflow_id. - Reject the run if the workflow is missing, paused, retired, or outside its declared maturity posture.
- For each tool call, match
tool_namespaceand requested access mode againstallowed_mcp_scopes. - For each proposed file write, enforce
allowed_paths,forbidden_paths,max_changed_files, andmax_diff_lines. - For each gate transition, require the phase rules and evidence records declared by the workflow.
- Kill the session when any runtime kill signal fires.
The policy pack is intentionally vendor-neutral. It can be converted into OPA/Rego, Cedar, a gateway-native rule format, or a simple in-process decision table. The important part is that the source of truth is the same artifact agents can retrieve and auditors can review.
Industry alignment
This feature is aligned with the controls serious AI security programs are already converging on:
- MCP Security Best Practices calls out MCP-specific attack paths such as confused deputy and token passthrough risk. A gateway policy pack keeps tool access scoped and auditable.
- MCP Authorization requires token audience validation and explicit authorization handling for HTTP transports. The pack gives operators the workflow-level authorization context those checks need.
- OWASP Top 10 for Agentic Applications highlights goal hijacking, tool misuse, and identity or privilege abuse as core agentic risks. The pack narrows tool use and fails closed on undeclared actions.
- NIST AI RMF frames trustworthy AI around govern, map, measure, and manage functions. This pack operationalizes those functions for remediation workflows.
- CISA Secure by Design pushes measurable security outcomes and executive ownership. Generated, versioned policy is a measurable control, not a slide.
- Open Policy Agent popularized decoupling policy decisions from application logic. The pack follows that model while staying neutral about the final policy engine.
Enterprise checklist
Before promoting a workflow to broad rollout, require:
- The workflow manifest validates cleanly.
- The gateway policy pack is regenerated and
--checkpasses in CI. - The MCP gateway denies undeclared namespaces by default.
- The gateway records every hold, denial, and kill-session decision with run ID attribution.
- Human approvals are typed records, not chat messages.
- The policy pack hash is attached to PR evidence or the run log.
That is the difference between “the prompt said no” and “the platform could not do it.”
See also
- Workflow Control Plane
- the source manifest this pack is generated from.
- MCP Connector Trust Registry
- the connector inventory and trust-tier contract for every MCP namespace.
- MCP Runtime Decision Evaluator
- how to execute the policy pack before an agent tool call runs.
- Runtime Controls
- how inline proxies and session disablement enforce the pack.
- Agentic Assurance Pack
- how generated policy becomes part of the enterprise trust export.
- Agent Identity & Delegation Ledger
- how gateway scopes become non-human identity delegation contracts.
- Gatekeeping Patterns
- where admission, tool-call, pre-merge, post-merge, and runtime gates fit.
- Compliance & Audit
- how generated policy becomes auditor-ready evidence.