This looks interesting, but anytime security is offloaded to an LLM I am extremely skeptical. IMO the right way to do this is to enforce permissions explicitly through a AuthZ policy. Something like what Toolhive [0] is doing is the right way I think.
All MCP comms from client to server go through an SSE proxy which has AuthN and AuthZ enabled. You can create custom policies for AuthZ using Cedar [1].
This is really interesting, I'll check it out. At least in its current form this seems like it would take some effort to setup - we're focusing heavily on making MCP Defender easy to setup in less than a minute and then forgetting about it as it runs in the background.
All MCP comms from client to server go through an SSE proxy which has AuthN and AuthZ enabled. You can create custom policies for AuthZ using Cedar [1].
[0] https://github.com/stacklok/toolhive, https://github.com/stacklok/toolhive/blob/main/docs/authz.md
[1] https://docs.cedarpolicy.com/