Governance for Every MCP Tool Call.
The Model Context Protocol gives your agents access to tools, data and APIs. Clyro wraps every call with default-deny enforcement, a full audit trail and runtime limits, so a tool that should never run never does.
Why MCP needs a governance layer
MCP standardises how agents reach tools. It does not standardise what those tools can do, who decides, or what happens when something goes wrong. The model picks the tool, the parameters, and how many times to call it. In production, that is how an agent ends up calling an admin tool it should never have reached, or hammering an API hundreds of times in a row.
Clyro's MCP Governance Wrapper sits between the agent and the MCP server. Every tool invocation runs through four runtime controls before it touches your system.
The four MCP failure modes Clyro prevents
Tool-of-tool chains
An MCP server exposes a tool that wraps a second tool. The outer permission allows it, the inner permission would not, but nothing checks. The result is ACL bypass and allow-list drift: the agent ends up with elevated access nobody approved.
Unbounded tool loops
An agent retries a failing tool call with slight variations. The server returns 200 each time. Costs compound until the bill arrives.
Silent prompt injection
A tool returns content the agent treats as instructions. The agent runs a different tool the user never intended.
Untracked side effects
A tool writes, deletes or sends. Nothing logs it with full context. Post-incident review takes hours of log archaeology.
What an MCP-scoped policy looks like
The Prevention Stack consisting of PolicyEvaluator, AuditLogger, LoopDetector and CostTracker runs against every MCP call. The MCP wrapper adds two things on top: server-scoped allowlists, and parameter rules written against the tool schema the server advertises.
A policy targeting a single MCP server reads like this:
# mcp/customer-db.yaml
mcp_server: customer-db
default: deny
allow:
- tool: search_customers
where:
- { field: limit, operator: max_value, value: 100 }
- tool: get_order
where:
- { field: order_id, operator: matches, value: "^ord_[A-Z0-9]{8}$" }
deny:
- tool: delete_*
- tool: update_*
where:
- { field: scope, operator: equals, value: "admin" }
rate_limit:
per_session: 20
window_seconds: 5
Server-scoped allowlists (default: deny +
named allow rules) replace the homepage
"any tool, any parameters" failure mode. Wildcards on the deny side cover
whole categories of write actions at once.
What an MCP audit entry looks like
Every MCP invocation produces one line in the Violation Chain, server-tagged and reviewer-friendly:
{
"ts": "2026-06-21T08:14:02.119Z",
"agent": "refund-bot",
"mcp_server": "customer-db",
"tool": "delete_customer",
"params": { "id": "cus_8821" },
"verdict": "blocked",
"rule": "deny:tool=delete_*",
"cost_usd": 0.0,
"trace_id": "trc_9a4f...e07"
}That same record is what a security review or a tribunal will ask for. It ships per-invocation, append-only, with the rule that decided it attached.
One install, governed by default
Wrap any agent (LangGraph, CrewAI, Claude Agent SDK or your own) and the four controls apply to every MCP tool call:
import clyro
wrapped = clyro.wrap(your_agent, config=clyro.ClyroConfig(
agent_name="my-agent",
controls=clyro.ExecutionControls(
max_steps=50,
max_cost_usd=10.0,
enable_loop_detection=True,
enable_policy_enforcement=True,
),
))
result = wrapped.invoke(inputs)Try it
Start free with the Prevention Stack and MCP Governance on every wrapped agent. No credit card.