Adding Human Approval to MCP Tool Calls Without Code Changes
The article introduces sidclaw-mcp-guard, a CLI tool that adds policy-based guardrails to MCP servers, allowing for human approval of write and destructive operations without modifying the client code.
Why it matters
This tool helps address a security concern with MCP servers, where any agent-initiated tool call is executed without policy checks. Adding human approval for sensitive operations can improve the safety and governance of MCP-based systems.
Key Points
- 1sidclaw-mcp-guard is a proxy that sits between the MCP client and server, intercepting tool calls
- 2It classifies tool calls using semantic patterns and applies policies to allow, hold for approval, or deny the requests
- 3Policies are defined in a YAML file, with rules for allowing read-only queries, approving data changes, and blocking schema changes
Details
The article explains how the sidclaw-mcp-guard tool works as a proxy between the MCP client and server. It intercepts every 'tools/call' request and applies a set of policy rules defined in a YAML file. These rules use semantic patterns to classify the tool calls as read-only queries, data changes, or schema changes. Read-only queries are automatically allowed, data changes are held for human approval, and destructive schema changes are blocked outright. The tool provides an approval dashboard running on localhost:9091 where users can review and approve the held requests. This allows adding human oversight to MCP tool calls without modifying the client code.
No comments yet
Be the first to comment