Policy Governance

Enforcing rules on capabilities

Beyond simple change detection, you may want to enforce Policies on what tools are allowed.

For example:

  • "No tools can have 'write' in their name."
  • "All tools must have a description longer than 10 characters."

Writing Policies

MCPTrust uses CEL (Common Expression Language).

# policy.yaml
rules:
  - name: "No file writes"
    expr: "!tools.exists(t, t.name.contains('write_file'))"

Checking Policy

mcptrust policy check -- "npx -y @modelcontextprotocol/server-filesystem /tmp"

If the check fails, the command exits with code 1. This can be used as a pre-commit hook or CI gate.

Docs — MCPTrust