The Deterministic Proxy
How policy is enforced outside the model at the MCP boundary — with predictable, auditable behavior.
Why deterministic?
Model prompts are not control planes. The proxy enforces guardrails the model cannot negotiate: it evaluates tool-call intents and server metadata against pre-declared policy, independent of model outputs.
- Non-bypassable enforcement at the MCP boundary
- Fail-closed defaults and minimal implicit trust
- Audit-evident decisions for each intercepted action
L1 · Rules
Deterministic signatures (e.g., path traversal, SSRF, jailbreak phrases) block known bad patterns fast.
L2 · Schema
Strict validation of tool manifests, argument schemas, and allowlists — deny unknown tools or fields.
L3 · Telemetry
Real-time logs of evaluated rules and outcomes; route blocked events to evidence systems.
See it in practice
McpVanguard implements this model for MCP: intercepting every tool call, validating intent and schemas, and emitting audit logs for blocked and allowed actions.