Image 1 — MCP Boundary v0.1.3 - boundary checks for MCP tool calls with real side effects (last build was broken, now fixed. Agent loop stopped in the shown example)
Image 2 — MCP Boundary v0.1.3 - boundary checks for MCP tool calls with real side effects (last build was broken, now fixed. Agent loop stopped in the shown example)
▲ 7 r/modelcontextprotocol+3 crossposts

MCP Boundary v0.1.3 - boundary checks for MCP tool calls with real side effects (last build was broken, now fixed. Agent loop stopped in the shown example)

Follow-up to my post from two weeks ago. People downloaded it, but that build (v0.1.0) was broken - it likely wouldn't even start, and we didn't catch it at the time. It's fixed now (v0.1.3). Reposting for anyone who tried that version and wrote it off - it actually runs now.

>The problem we are trying to solve is: tool access is not the same as impact permission. A model or agent may be allowed to call a tool, but that does not always mean this specific write, delete, update, or retry should happen now.

A few things you can do with it:

  • restrict arguments, not whole tools (for example, allow sending only to approved recipient domains)
  • bind writes to observed state, so a write does not run if the world changed since the read
  • see every call, decision, reason, and outcome in a local dashboard

MCP Boundary checks each call against your policy and the current state before it hits the real system. It then allows it, blocks it, or asks the agent to refresh state - and when it blocks, the agent gets a structured reason it can act on, not just an error.

It runs locally, and wraps your existing command-based (stdio) MCP servers within 2 minutes.

It is not an enterprise gateway, a DLP system, or a prompt-injection detector, and it only covers calls routed through it.

I'm looking for feedback from people running MCP workflows with side effects - especially where the policy model is too strict or too loose for your setup.

Site: https://mcpboundary.com

Repo: https://github.com/impact-boundary-labs/MCPBoundary

u/madiamo — 7 days ago

Looking for feedback: boundary checks before MCP tool calls change external systems

A while ago I posted here about Impact Boundary Labs and the idea of separating agent intent from external impact.

We now finally released the first concrete version for MCP tool-calling workflows.

It is meant for agents connected to MCP tools that can change state:

An Agent satisfyingly completed his task.

The problem we are trying to solve is that tool access is not impact permission.

An agent may be allowed to call a tool, but that does not automatically mean this specific write, update, delete, retry, or deployment should be allowed now.

MCP Boundary sits between the MCP client or agent and the MCP server. It checks routed tool calls before they reach the downstream server, and gives the agent feedback at bad attempts.

The claim is not that this proves every MCP server is internally safe. If a server hides destructive behavior inside a harmless-looking tool, the user still has to trust and vet that server. The goal is to make the routed MCP call explicit, checked, logged, and recorded before it changes the target system.

I am looking for feedback from people running agents with state-changing MCP tools.

  • Which MCP tools or servers would you actually want guarded?
  • How do you currently handle retries after state changed?
  • Do you split safe and high-impact tools, or rely on confirmation prompts?
  • Would you be interested in a scoped read path through the boundary core?
reddit.com
u/madiamo — 17 days ago
▲ 5 r/modelcontextprotocol+2 crossposts

Just published - looking for feedback: boundary checks for MCP tool calls with real side effects

Not every MCP setup needs this. If your MCP server is read-only, this is probably less relevant.

It is built for MCP clients, agents, and tool-calling workflows where tools can create real side effects: updating records, deleting files, changing tickets, writing to databases, triggering deployments, or retrying writes after state has changed.

The problem we are trying to solve is:

Tool access is not the same as impact permission.

A model or agent may be allowed to call a tool, but that does not always mean this specific write, delete, update, or retry should happen now.

MCP Boundary sits between the MCP client or agent and the MCP server and checks calls before they hit the real system.

I’m looking for feedback from people running MCP workflows with side effects.

Site:
https://mcpboundary.com
Built from:
https://impactboundarylabs.com

reddit.com
u/madiamo — 17 days ago

We are building Impact Boundary Labs: a control layer between agent intent and real impact

Hi,

we are working on Impact Boundary Labs, a project around a simple problem:

AI agents are becoming useful enough to do real work, but that also means their mistakes can become real effects.

I do not think the main issue is that agents make mistakes. Humans make mistakes too. The problem is when an agent can directly turn a wrong assumption into a PR, email, database update, file change, or workflow trigger.

The idea behind Impact Boundary Labs is:

  • agents can read, reason and propose intent, but
  • they should not directly own the final action path

https://reddit.com/link/1twgveg/video/xvqvusuwk85h1/player

A separate Core checks state, scope, policy and risk before deciding:

  • allowed
  • blocked
  • needs review
  • conflict / re-read state

Only admitted intent becomes external impact.

We have a public Impact Room demo and a GitHub Gateway reference adapter. The GitHub adapter does not try to prove semantic correctness or scan secrets. Its narrower goal is to prevent unadmitted agent impact before it becomes a PR.

I am looking for honest and critical feedback on the framing:

does “intent before impact” make sense as a useful boundary for agent workflows, or does this still feel too abstract?

We really want to know, if we are going into the right direction.

reddit.com
u/madiamo — 1 month ago

I built a Hugging Face Docker Space where an agent must pass a boundary before impact

The demo is built around a simple rule:

the agent may reason, plan and propose
but the Core decides what becomes impact

The agent’s goal is to open the impact door. It cannot trigger the final action directly. It has to request state, submit intent, and pass the boundary first.

This is not a model-correctness demo. It is a small environment for exploring the missing layer between agent intent and external effect:

read path -> state -> intent -> decision -> outcome evidence

External impact is disabled in the public demo, but the Core decision path runs inside the Docker Space.

https://huggingface.co/spaces/davidloibner/impactroom-live-preview

u/madiamo — 1 month ago

We built a GitHub gateway for AI agents before they create PRs

AI coding agents can propose useful changes, but I do not want them to directly own the GitHub write path.

This is a small GitHub gateway for agents.

It does not try to prove semantic correctness, and it is not a secret scanner. The focus is narrower: checking whether an agent-proposed change is allowed to become PR impact.

It currently checks things like:

  • source-state binding
  • read-state validation
  • drift detection
  • idempotency
  • PR reuse
  • same-PR follow-up
  • parent-head revalidation
  • policy/scope checks before PR creation
  • evidence for why something was admitted or blocked

Would be curious if this is the kind of trust check you would want in a PR flow, or if you would need it earlier during implementation.

u/madiamo — 1 month ago

Where do you put the final-action boundary in AI agent workflows?

We are working on a small open tool around controlling agent impact, and i am trying to understand if this is actually useful for people building real workflows.

The problem i keep thinking about is not the agent writing a bad answer. it is the agent doing the final action too early.

Examples:

* sending an email

* updating a database record

* opening a pr

* changing a file

* triggering a deploy

* posting to slack or jira

Our idea is pretty simple: the agent can read, plan, and propose what it wants to do, but it should not directly own the final action. a small boundary says yes / no / needs review, and an adapter applies only admitted work.

we want this to be open/community friendly, so people could build adapters for their own workflows.

We are mainly looking for honest feedback:

Does this sound useful in real agent workflows?

Is it too much friction?

or is this just the wrong layer?

reddit.com
u/madiamo — 1 month ago