Proposal: Permission Specification for MCP Tool Calls #2498
Replies: 9 comments 7 replies
-
|
For financial MCP tools, permission specification and audit trail collapse into the settlement layer. Our DelegationRegistry contract enforces scope (which contract the signer can call), daily USDC budget, and expiry atomically at execution time. Any party can verify the delegation on-chain without trusting any server response. The deny-first principle maps directly: a session key not listed in DelegationRegistry.isAuthorized() is rejected at the contract level, not in an evaluation layer. The gap: this only works when tool effects settle on a blockchain. For off-chain tools, a spec like yours is needed. For financial execution specifically, the settlement contract can be the policy enforcer. |
Beta Was this translation helpful? Give feedback.
-
|
The 71% F-score finding across MCP servers is not surprising but it is useful to have quantified. The structural problem is that MCP defaults to "all tools available to all callers" and the spec provides no opt-in mechanism for restriction. On the design questions:
The chain depth constraint type is underrated. Most real exploits in agent systems come from deep delegation chains where no single hop looks dangerous but the cumulative capability is. |
Beta Was this translation helpful? Give feedback.
-
|
@jagmarques @tysoekong you are both landing on the same point independently and I think you are right. The separate-method approach was my original design because it keeps the policy document self-contained and portable. But the practical argument wins: if discovering permissions requires an extra round-trip, most clients will skip it. And for gateways aggregating dozens of servers, name-matching tools to an external ACL config is exactly the kind of thing that breaks the moment a new server is added dynamically. The inline approach could work as optional fields on the tool definition in {
"name": "push_files",
"description": "Push files to a repository",
"inputSchema": { ... },
"permissions": {
"scopes": ["repo:write"],
"constraints": [
{ "type": "rateLimit", "max": 10, "windowSeconds": 3600 }
]
}
}Servers that do not include the tysoekong's I'll update the spec to support both modes: inline policy hints on The chain depth point is underrated. The most dangerous delegation chains we've seen in production are ones where each individual hop looks innocuous. |
Beta Was this translation helpful? Give feedback.
-
|
The issue we are having is that there is no provision for e.g. "ACLs" on individual tools. It can be driven by the tool metadata map, however this then becomes implementation-specific, and not portable. When aggregating many servers on a gateway, right now the only options is to name-match the backend tool to an ACL defined in the gateway config, and apply it per-request. This is not so scalable, if MCP is to implement a whole discovery mechanism whereby tool servers can be discovered and loaded in dynamically, and the developer does not need to change anything at the "gateway", then per-tool scope-definitions are needed in the tools list response. Under the {
...
"conditions": {
"scopes": { "enum": ["admins", "financial_read"] } # or "roles"
}
...
}This would deliver to the agent the idea that the current context does not have the scope to execute this tool. Then the server must enforce this restriction but at least there is an early feedback loop to the user/agent that they need higher privilege. |
Beta Was this translation helpful? Give feedback.
This comment was marked as spam.
This comment was marked as spam.
-
|
@arian-gogani the permissions vs behavioral constraints distinction is the right framing. We have been treating these as one layer but they are two distinct enforcement points. Permissions: "can this agent call The current spec handles both through the The SHA-256 hash-chained log convergence is interesting. We arrived at the same design independently, which suggests it is the natural solution for tamper-evident agent audit trails. I'd be interested in how Nobulex handles constraint composition when multiple covenants apply to the same tool call. In our spec, rules are evaluated in priority order with deny-first default. If your behavioral constraints layer sits alongside the permission layer, there needs to be a defined evaluation order between them. Will check out the playground. If there is an opportunity to make the two systems composable — AgentsID permission rules feeding into Nobulex behavioral enforcement — that could be a strong combined offering for the spec discussion. |
Beta Was this translation helpful? Give feedback.
-
|
Strong proposal. The per-tool authorization gap is real. I want to raise a related problem that compounds it: what happens to permissions when content flows through derivation chains? |
Beta Was this translation helpful? Give feedback.
-
|
@aman210122 the derivation chain problem is real and it is the gap I have been avoiding because it is genuinely hard. Your composition rules — max sensitivity, intersect access, union regulatory tags — are the right semantics. We saw a simpler version of this in multi-agent delegation chains: agent A has access to financial data, delegates to agent B with narrowed scope, agent B produces a summary that implicitly contains the restricted data. Our delegation protocol handles scope narrowing on the permission side but does not track what information is embedded in the output. The healthcare scenario is the sharpest example. HIPAA + SOX derivation means the output inherits the most restrictive governance from all sources. If you only enforce at the tool call boundary, the output is unclassified despite containing classified inputs. I think this belongs as a governance extension to the permission spec rather than in the core. The core handles pre-execution authorization (can you call this tool with these parameters). Output governance is a post-execution concern that requires tracking data lineage through the agent graph, which is a different problem with different enforcement points. That said, the spec should define the hooks for it. An audit entry that records input source classifications alongside the tool call result would give a governance layer enough information to apply your composition rules after the fact. Would like to see the formal definitions and test cases when you put them together. This is the kind of thing that needs concrete examples to get the semantics right. |
Beta Was this translation helpful? Give feedback.
-
|
@AmanSharma2609 the derivation chain problem is real and I keep seeing it come up independently across these discussions — which means it's a real gap, not a theoretical one. The composition rules you landed on (max sensitivity, intersect access, union regulatory) are the same ones you described in #2493. The fact that you arrived at them through deployment testing rather than theory is the strongest validation. For the permission spec specifically: tool-level permissions + output governance composition are two different enforcement points that both need to exist. The permission spec handles the first. Your composition rules handle the second. Proof-of-behavior can enforce both and log the evidence for each decision. The enforcement middleware could evaluate two constraint sets per action:
Both decisions go into the same hash-chained log. Auditor replays both. This is converging with the work in cxp-protocol — would be worth formalizing the composition rules as part of the governance vocabulary crosswalk happening in agent-governance-vocabulary. |
Beta Was this translation helpful? Give feedback.
-
|
Good point on the dual constraint set. The pre-execution permission check and post-execution composition check are distinct enforcement points that both need to exist. |
Beta Was this translation helpful? Give feedback.
-
|
@arian-gogani @aman210122 the governance vocabulary crosswalk at aeoess/agent-governance-vocabulary#10 is exactly where the AgentsID permission spec should be mapped. The spec defines 12 constraint types and a delegation protocol — having those terms in a shared vocabulary alongside Nobulex's behavioral constraints and the composition semantics would make all three interoperable. Please tag me on that issue when you are ready. I can contribute the AgentsID constraint type definitions and the evaluation algorithm semantics. The deny-first evaluation order, priority resolution, and scope narrowing rules are the pieces that need formal definitions if they are going to compose with other governance systems. This conversation is converging on a layered architecture:
All three enforcement points log to a shared audit trail. That is a complete governance stack for agent tool calls. |
Beta Was this translation helpful? Give feedback.
-
|
This layered framing makes sense. Permission (who can call what), behavioral constraints (how they can call it), and output governance (what rules apply to derived data) are three distinct enforcement points that all need to exist independently but compose together. |
Beta Was this translation helpful? Give feedback.
This comment was marked as spam.
This comment was marked as spam.
-
|
Sounds good. Feel free to tag me on the vocabulary repo when you are ready for the composition semantics. I will put together the formal definitions and test cases. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Summary
I would like to propose a standard format for expressing, evaluating, and auditing permission rules for MCP tool calls — the AgentsID Permission Specification v1.0.
The full spec is published at agentsid.dev/spec and github.com/stevenkozeniesky02/permission-spec. This post summarizes the motivation, design, and asks for feedback from MCP maintainers.
Motivation
MCP gives agents unrestricted access to every tool a server exposes by default. The spec delegates authentication to the transport layer and provides no mechanism for:
We recently scanned 100 MCP servers using an open-source scanner (
@agentsid/scanner) and published the results in "The State of MCP Server Security 2026".Key findings:
server-githubandserver-filesystem)We filed two issues on this repo:
push_filesscope constraintsThe root cause in both cases is not buggy code — it is the absence of a standard way to express what an agent is permitted to do.
The Proposal
A permission policy is a JSON document attached to an agent. A pure-function evaluation engine decides allow/deny at tool call time. An audit log records every decision with cryptographic integrity.
Permission Rule Format
{ "version": "1.0", "agentId": "agent_abc123", "expiresAt": "2026-04-29T00:00:00Z", "rules": [ { "tools": ["github.push_files"], "action": "allow", "conditions": { "owner": { "pattern": "^myorg$" }, "branch": { "enum": ["main", "develop"] } }, "constraints": [ { "type": "rateLimit", "max": 10, "windowSeconds": 3600 } ] }, { "tools": ["**"], "action": "deny" } ] }Core Principles
Constraint Types (12 built-in)
Schedule, Rate Limit, Data Classification, Budget, Sequence, Session Limit, Risk Score, IP Allowlist, Chain Depth, Cooldown, Anomaly Detection, Approval Gate — plus
x-prefixed extensions.Delegation Protocol
Agents can delegate a subset of their permissions to sub-agents. Scope can only narrow, never expand. Revoking a delegation cascades to all sub-delegations immediately.
Audit Log
Every evaluation decision produces an append-only audit entry with SHA-256 hash chaining. Any tampering with a historical entry invalidates all subsequent hashes.
Relationship to Existing MCP Auth Work
This proposal is a complement to, not a replacement for, the MCP auth spec (OAuth 2.1 / transport-level authentication). The auth spec answers "who is this agent?" This proposal answers "what is this agent allowed to do, with what parameters, under what conditions?"
These are orthogonal problems. You need both.
What I Am Asking
Links
npx @agentsid/scannerBeta Was this translation helpful? Give feedback.
All reactions