← Tools

COMMUNITY RFC · DRAFT · MCP SPEC EXTENSION

MCP needs a policy primitive.

Today, every MCP server enforces its own access rules locally — idiosyncratically, without any protocol-level way for clients to know what enforcement happened on a given call. We've drafted an RFC proposing a policy_enforcement capability declaration, a standardized decision shape, and an optional cryptographic-receipt extension.

Inherence's hosted gate is one possible reference implementation — not the canonical one. The goal is a generic primitive that any vendor can implement. The working-group conversation is the deliverable; spec language is downstream.

Engage on the spec repo → Discuss with us

What the extension would standardize.

Server capability declaration: { policies: [...], receipt_format: "groth16-bn254-v1", verifier_key_uri }
Tool-call response shape: policy_decision { kind, policy_id, receipt_id }
Standard error code policy_denial distinct from generic tool failure
Optional in-protocol receipt fetch method for auditor verification
Registry of receipt formats (Groth16, future schemes)

Open questions.

Top-level capability vs per-tool annotation? In-protocol vs out-of-protocol receipt fetch? Policy authoring format neutral, or YAML-canonical? Multi-policy server semantics? Receipt caching with what invalidation? Privacy of policy-violation details on deny?

All open. The RFC is a starting point — if the working group says "this direction is worth pursuing," next step is refinement. If it says "this belongs in a separate ecosystem layer," that's also a valid outcome.