Problem Statement
Problem
The current sandbox policy supports network rules (allow/deny TCP connections to hosts/ports), filesystem rules, and process rules. However, when an agent communicates with MCP (Model Context Protocol) tool servers, the actual tool invocations are JSON-RPC calls over a single TCP connection. The policy cannot distinguish between different MCP methods on the same connection.
Current Behavior
Policy can only allow/deny at the network level:
network:
- host: "10.200.0.1"
port: 8001
access: full # All-or-nothing: either ALL methods are allowed, or NONE
Once a connection is allowed, the agent can call any method on that MCP server — there's no way to restrict which tools/methods are permitted.
Proposed Design
Desired Behavior
Extend the policy language to support method-level filtering for JSON-RPC/MCP traffic:
network:
- host: "10.200.0.1"
port: 8001
access: full
methods:
allow:
- "tools/call:search_web" # Allow Tavily search
- "tools/call:get_weather" # Allow weather lookup
deny:
- "tools/call:send_email" # Block email sending
- "tools/call:execute_code" # Block code execution
The supervisor would need to:
- Detect JSON-RPC traffic on governed connections (Content-Type or protocol detection)
- Parse the JSON-RPC method and params.name fields
- Apply allow/deny rules before forwarding to the MCP server
- Log/audit which methods were called (for governance compliance)
Alternatives Considered
Use Case
Enterprise governance requires fine-grained control over what an AI agent can do — not just which services it can connect to, but which specific operations it can perform. This is critical for:
- Compliance (agent can read but not write)
- Safety (agent can search but not send emails)
- Least-privilege (agent only gets the specific tools it needs)
- Audit trail (which methods were invoked, by which user, when)
Workaround
We built an external "MCP Governance Gateway" that sits between the agent and the MCP server, intercepts JSON-RPC calls, and enforces method-level policy. This works but adds latency, deployment complexity, and doesn't benefit from the supervisor's built-in audit/policy infrastructure.
Agent Investigation
No response
Checklist
Problem Statement
Problem
The current sandbox policy supports network rules (allow/deny TCP connections to hosts/ports), filesystem rules, and process rules. However, when an agent communicates with MCP (Model Context Protocol) tool servers, the actual tool invocations are JSON-RPC calls over a single TCP connection. The policy cannot distinguish between different MCP methods on the same connection.
Current Behavior
Policy can only allow/deny at the network level:
Once a connection is allowed, the agent can call any method on that MCP server — there's no way to restrict which tools/methods are permitted.
Proposed Design
Desired Behavior
Extend the policy language to support method-level filtering for JSON-RPC/MCP traffic:
The supervisor would need to:
Alternatives Considered
Use Case
Enterprise governance requires fine-grained control over what an AI agent can do — not just which services it can connect to, but which specific operations it can perform. This is critical for:
Workaround
We built an external "MCP Governance Gateway" that sits between the agent and the MCP server, intercepts JSON-RPC calls, and enforces method-level policy. This works but adds latency, deployment complexity, and doesn't benefit from the supervisor's built-in audit/policy infrastructure.
Agent Investigation
No response
Checklist