A compromised IDE agent asks an MCP filesystem server to read secrets outside the workspace.
mcp.filesystem.read path=../../.envallow workspace reads; deny traversal and secret path patterns
capfence replay mcp.jsonl --policy policies/mcp.yamlJSON-RPC payload hash, tool name, path, policy hash, decision
Enterprise assistants use MCP servers for filesystem, repository, and internal service access without trusting every tool call generated by the model.
CapFence is placed in front of MCP tools as an authorization proxy that maps tool requests to deterministic capabilities.
Workspace escapes, secret reads, and unapproved tool composition are blocked while legitimate tool use remains observable and replayable.
Operational Pattern 03: MCP Filesystem Boundary
MCP servers often trust the client completely. CapFence runs as a proxy before the upstream MCP server and evaluates each tool call.
Threat
A compromised IDE agent asks an MCP filesystem server to read secrets outside the workspace.
mcp.filesystem.read path=../../.envRequest
actor: ide-agent
capability: mcp.filesystem.read
payload: {"tool": "read_file", "path": "../../.env"}
environment: developer_workstationPolicy
deny:
- capability: mcp.filesystem.read
path_contains: "../"
- capability: mcp.filesystem.read
path_contains: ".env"
allow:
- capability: mcp.filesystem.read
path_prefix: "/workspace/project"Decision
decision: DENY
reason: path_traversal_or_secret_read
upstream_mcp_invoked: falseThe upstream MCP server never receives the blocked JSON-RPC request.
Replay
capfence replay mcp.jsonl --policy policies/mcp.yamlUse replay to test workspace allowlist changes against real MCP traffic.
Audit
Record the JSON-RPC payload hash, tool name, path, actor, policy hash, decision, and replay identifier.
What CapFence does not solve
CapFence does not make an unsafe MCP server safe if agents can bypass the proxy. It controls the MCP path you route through the gateway.