MCP tool call
Agent tool calls route through MCP Guard. Routine calls pass in milliseconds. Consequential calls hold for a named signer.
Policy clears the routine. A named human signs the consequential. Every agent action gets a portable, tamper-evident receipt.
Runs across MCP · CI/CD · SQL · APIs
"About 90% of code at Anthropic is now written by Claude — engineers are in a supervisory role."
Agent incidents
97 documented incidents of agents acting without authorization, 40 of them critical.
Latest (2026-07-09): Symlink attack fools HITL approval — Claude Code knew the risk and hid it
The question no one can answer
List every production change last quarter that was AI-originated. Show the accountable human for each.
Your repo host cannot answer it. Your observability stack cannot. The sandbox cannot. Approvals today record that a human clicked; they carry no record of which agent acted, under whose delegated authority, against which exact payload.
Who authorized this agent to perform this exact production action?
MCP · CI/CD · SQL · APIs
Agent tool calls route through MCP Guard. Routine calls pass in milliseconds. Consequential calls hold for a named signer.
Agent-authored PRs stay blocked until the right signer approves the exact commit.
Production deploys require a signed authority receipt before release workflows proceed.
Destructive SQL and broad customer-data changes require explicit approval before execution.
Two products
Open-source authority proxy for MCP. Intercepts tool calls, holds the consequential ones, mints a receipt for every decision. Start in observe mode: zero risk, full visibility.
Install MCP GuardAgent-authored merges and deploys stay held until the right human signs the exact change. Auto-approve clears low-risk paths so the gate never becomes the bottleneck.
Gate a repoFor compliance, risk, and audit leaders
Most enterprise AI logging proves the agent acted. It rarely proves the human approved the exact action at the exact moment. That gap shows up first in audit reconstruction, in SOX and FINRA exams, in FDA inspections, and in board-level questions about AI accountability. Permission Protocol is the authorization layer that captures human signoff at the action boundary and produces tamper-evident receipts built for regulatory exams.
Every consequential AI action routes to a named human signer at the action boundary, with policy decisions captured as part of the same record.
Each receipt is cryptographically signed and designed for the retention windows regulated firms operate under.
Low-risk actions flow through under policy. Consequential actions require explicit human signoff. The firm controls the calibration, not the AI vendor.
Start with production SQL. Expand to every production path.
Your engineers use Cursor, Copilot, and Claude to generate migrations. Today, who signs that SQL before it hits prod?
Permission Protocol blocks AI-generated database changes from reaching production unless there is a signed approval bound to the commit, migration hash, environment, and approver.
See a blocked migration get signedDROP COLUMN
users.email
Schema changes need named approval.
BROAD UPDATE
accounts SET tier = 'free'
Mass mutations get held.
NO ROLLBACK
migration has no down step
No down-step, no silent merge.
The receipt layer
Cleared by policy or signed by a human, each action mints the same portable, tamper-evident record: who acted, who authorized it, under which policy, at what time.
See a real signed receipt✓ ACTION AUTHORIZED
Deploy → billing-service
permissionprotocol.com/r/8f91c2
Pricing
MCP Guard is open source, and the Free plan is $0: one signer, one connected repo or MCP client, and real signed receipts.
Install MCP GuardPilot to enterprise, run with our team: prove one high-risk workflow, then expand until every consequential agent action carries a receipt.
See pricing