MCP Tooling Control for Devs

Description

Gate a local MCP server’s run_tool:db-migrate so only build-agent bots with devops_migrate can run it, from compliant devices, during a change window, with trust ≥ 85.

Add human-in-the-loop break-glass approvals as another policy clause. Each invocation requires a fresh token; the decision records device posture, window ID, and change ticket.

Business Value

Prevent accidental destructive tooling use; enforce change windows; create clean audits:

• Prevents high-impact mistakes: Time-boxed, device-aware authorization eliminates most accidental misuse.
• Consistent control across heterogeneous dev setups: Same policy applies to laptops, CI, or containers.
• Forensic clarity: One audit trail across tools, people, and agents for incident reviews.
• Fewer custom hooks: Keep “safety” out of scripts; move it into transparent policy.

Why Not With Alternatives?

Local tokens or API keys cannot safely encode device posture + time-boxed change windows with DID-backed identity and per-request decisions; OPA alone can’t guarantee who actually invoked the tool:

• Local secrets/sudo do not verify which agent invoked a tool nor enforce device posture.
• MDM/endpoint checks don’t couple posture with per-invocation authorization and one-shot tokens.
• CI/CD rules don’t cover local developer tooling or ad-hoc runs equally well.

Policy

default allow = false

allow if {
  input.action == "devops_migrate" # agent/bot will need to have this capability in its VC
  input.resource == "mcp://db-migrate"
  input.context.change_window == true
  input.context.device_compliant == true
  input.trust >= 85
}