Skip to content

Support method-level governance for MCP tool calls (JSON-RPC) in sandbox policy #1793

Description

@prakashmirji

Problem Statement

Problem
The current sandbox policy supports network rules (allow/deny TCP connections to hosts/ports), filesystem rules, and process rules. However, when an agent communicates with MCP (Model Context Protocol) tool servers, the actual tool invocations are JSON-RPC calls over a single TCP connection. The policy cannot distinguish between different MCP methods on the same connection.

Current Behavior
Policy can only allow/deny at the network level:

network:
  - host: "10.200.0.1"
    port: 8001
    access: full  # All-or-nothing: either ALL methods are allowed, or NONE

Once a connection is allowed, the agent can call any method on that MCP server — there's no way to restrict which tools/methods are permitted.

Proposed Design

Desired Behavior
Extend the policy language to support method-level filtering for JSON-RPC/MCP traffic:

network:
  - host: "10.200.0.1"
    port: 8001
    access: full
    methods:
      allow:
        - "tools/call:search_web"      # Allow Tavily search
        - "tools/call:get_weather"     # Allow weather lookup
      deny:
        - "tools/call:send_email"      # Block email sending
        - "tools/call:execute_code"    # Block code execution

The supervisor would need to:

  1. Detect JSON-RPC traffic on governed connections (Content-Type or protocol detection)
  2. Parse the JSON-RPC method and params.name fields
  3. Apply allow/deny rules before forwarding to the MCP server
  4. Log/audit which methods were called (for governance compliance)

Alternatives Considered

Use Case
Enterprise governance requires fine-grained control over what an AI agent can do — not just which services it can connect to, but which specific operations it can perform. This is critical for:

  • Compliance (agent can read but not write)
  • Safety (agent can search but not send emails)
  • Least-privilege (agent only gets the specific tools it needs)
  • Audit trail (which methods were invoked, by which user, when)

Workaround
We built an external "MCP Governance Gateway" that sits between the agent and the MCP server, intercepts JSON-RPC calls, and enforces method-level policy. This works but adds latency, deployment complexity, and doesn't benefit from the supervisor's built-in audit/policy infrastructure.

Agent Investigation

No response

Checklist

  • I've reviewed existing issues and the architecture docs
  • This is a design proposal, not a "please build this" request

Metadata

Metadata

Assignees

Labels

area:policyPolicy engine and policy lifecycle workarea:supervisorProxy and routing-path workgator:validatedGator validated this issue as ready for work

Fields

No fields configured for Enhancement.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions