Documentation Index
Fetch the complete documentation index at: https://docs.brane.membranelabs.org/llms.txt
Use this file to discover all available pages before exploring further.
Brane can govern MCP tool access by modeling each MCP server, tool, resource, or prompt as a capability. Policies can then allow or deny MCP actions based on agent identity, tenant, environment, tool risk, input arguments, and runtime metadata.
MCP expands the action surface of an AI agent. Brane gives that expanded surface a policy layer.
Why MCP Needs Policy
An MCP server can expose many tools and resources behind one connection. Without runtime policy, the agent may be able to call tools that were not intended for the current user, tenant, environment, or workflow.
Brane’s control model is:
MCP tool call -> AgentAction -> PolicyContext -> Policy -> Decision
Capability Naming For MCP
Use namespaced capability names for MCP tools:
mcp.github.create_pr
mcp.github.merge_pr
mcp.slack.send_message
mcp.postgres.query
mcp.filesystem.read_file
Example: Block MCP Writes In Production
@runtime.before_capability("*")
def block_mcp_writes_in_prod(ctx):
if ctx.is_prod and ctx.capability.name.startswith("mcp.") and ctx.capability.risk in {"high", "critical"}:
return Decision(type="deny", reason="High-risk MCP action blocked in prod")
return Decision(type="allow")
Example: Allow Read-Only MCP Database Queries
@runtime.before_capability("mcp.postgres.query")
def mcp_sql_read_only(ctx):
query = ctx.arg("query", "").strip().lower()
if not query.startswith("select"):
return Decision(type="deny", reason="Only SELECT queries are allowed")
return Decision(type="allow")
Current Status
The core runtime supports the capability and policy model today. Dedicated MCP adapters are planned. Until a dedicated adapter ships, use Brane’s core runtime to wrap MCP-facing functions or adapter boundaries in your own application code.
Related Pages
