Understanding MCP Policies

Overview

BlueRock Secure MCP Server enforces runtime security controls through configurable MCP Protection Policies.

Policies are evaluated at runtime for both MCP client requests and MCP server responses. They operate as an enforcement layer and do not require infrastructure redeployment.

When remediation is enabled (remediate: true), the MCP client or server program execution is terminated upon a policy violation. When remediation is disabled (remediate: false), BlueRock Secure MCP Server operates in observe mode and logs policy violations while allowing execution to continue.

MCP policies can be applied to MCP servers implemented in:

• Python MCP servers • JavaScript / TypeScript MCP servers

Policies regulate:

MCP client-server connections
Transport protocols (HTTP, SSE, stdio)
Authentication requirements
Tool execution behavior
Resource access controls
Prompt invocation restrictions
Pattern-based detection in arguments and responses

Policy Categories

MCP policies are logically grouped based on the type of control they enforce.

1. Connection Control Policies

Control how MCP clients connect to MCP servers.

Capabilities include:

Restricting stdio, HTTP, or SSE transports
Enforcing authentication for HTTP/SSE connections
Configuring exception lists for specific MCP server programs or URLs

2. Tool Execution Policies

Control how MCP clients invoke tools exposed by MCP servers.

Capabilities include:

Restricting execution of specific tools
Detecting forbidden patterns in tool arguments
Inspecting tool responses for unsafe content

3. Resource Access Policies

Control access to MCP-exposed resources.

Capabilities include:

Denying specific resource URIs
Applying server-specific resource rules

4. Prompt Execution Policies

Control prompt execution behavior within MCP interactions.

Capabilities include:

Denying specific prompts from specific MCP server
Detecting unsafe prompt arguments
Inspecting prompt responses for restricted patterns

5. Built-in MCP request/response message audit policies

Provide predefined detection for common risky patterns such as:

Dangerous shell commands
Privilege escalation attempts
Sensitive file paths
Suspicious network commands
Potential data exfiltration behavior

These apply across tool calls, prompt execution, and resource interactions.

MCP Protection Policies – Use Cases

This section demonstrates runtime enforcement behavior for MCP client-server interactions in 26.08.0 Release.

Prerequisites:

This section assumes the following setup is completed:

• Create an MCP project directory • Create a Python virtual environment • Create FastMCP client and FastMCP server programs • Install the fastmcp package • Install the bluepython package • Load the bluepython package before executing the client or server program

MCP Connection Control

Deny Client Connection to stdio Server

Policy Configuration

"stdio": {
     "deny_stdio": true,
     "exception_list": []
         },

Running MCP Client with MCP stdio Server

python mcp_client.py --mcp_server mcp_fileserver_stdio.py tools --list

Expected Behavior

Policy Configuration

Result

remediate: false

Connection allowed, violation logged (WARN)

remediate: true

Connection blocked, violation logged as ERROR, program terminated

OTEL Violation (Observe)

{
  "body": "mcp_policy_violation",
  "severity_number": 13,
  "severity_text": "WARN",
  "attributes": {
    "description": "Policy: deny_stdio | Type: MCP stdio server not allowed | Description: Command python mcp_fileserver_stdio.py is not permitted | Location: message.command message.args | Detected Content: python mcp_fileserver_stdio.py",
    "origin": "uc-gyro",
    "type": "log"
  }
}

{
  "body": "mcp_policy_violation",
  "severity_number": 13,
  "severity_text": "WARN",
  "attributes": {
    "description": "Policy: deny_stdio | Type: MCP stdio server not allowed | Description: Command python mcp_fileserver_stdio.py is not permitted | Location: message.command message.args | Detected Content: python mcp_fileserver_stdio.py",
    "origin": "uc-gyro",
    "type": "log"
  }
}

OTEL Violation (Enforce)

{
    "body": "mcp_policy_violation",
    "severity_number": 17,
    "severity_text": "ERROR",
    "attributes": {
        "description": "Policy: deny_stdio | Type: MCP stdio server not allowed | Description: Command python mcp_fileserver_stdio.py is not permitted | Location: message.command message.args | Detected Content: python mcp_fileserver_stdio.py",
        "domain": "gyro",
        "event_name": "mcp_policy_violation",
        "hostid": "ip-172-31-22-6",
        "origin": "acoustic Python sensor",
        "remediation_kind": "block",
        "sensor_id": 8961,
        "source_event_id": 1,
        "type": "remediation"
    },
    "scope": {
        "name": "bluerockd"
    },
    "resource": {
        "service.name": "bluerock"
    }
}

{
  "body": "mcp_policy_violation",
  "severity_number": 17,
  "severity_text": "ERROR",
  "attributes": {
    "description": "Policy: deny_stdio | Command node --import bluejs tests/mcp_fileserver_stdio.js is not permitted",
    "domain": "gyro",
    "event_name": "mcp_policy_violation",
    "hostid": "ip-172-31-8-12",
    "origin": "acoustic JavaScript sensor",
    "remediation_kind": "block",
    "sensor_id": 5717,
    "source_event_id": 2,
    "type": "remediation"
  },
  "scope": {
    "name": "bluerockd"
  },
  "resource": {
    "service.name": "bluerock"
  }
}

Deny stdio with Exception

Policy Configuration

"stdio": {
    "deny_stdio": true,
    "exception_list": [{"command": "python", "args": "mcp_fileserver_stdio.py"}]
    },

Running MCP Client with MCP stdio Server

python mcp_client.py --mcp_server mcp_fileserver_stdio.py tools --list

Expected Behavior

Matching command in exception list is allowed. No policy violation event is generated. A source event for the stdio connection is emitted.

Source Event

{
    "body": {
        "context": {
            "process": {
                "pid": 57817
            }
        },
        "entity_id": "ced0a915-a2a0-4e0c-b7eb-29c2497209e7",
        "server": {
            "args": [
                "--import",
                "bluejs",
                "tests/mcp_fileserver_stdio.js"
            ],
            "command": "node",
            "type": "stdio"
        }
    },
    "severity_number": 9,
    "severity_text": "INFO",
    "attributes": {
        "domain": "gyro",
        "event_name": "js_mcp_client_connect",
        "hostid": "ip-172-31-8-12",
        "origin": "bluejs",
        "sensor_id": 5717,
        "source_event_id": 2,
        "type": "event"
    },
    "scope": {
        "name": "bluerockd"
    },
    "resource": {
        "service.name": "bluerock"
    }
}

Deny Client Connection to HTTP Server

Policy Configuration

"http_servers": {
     "deny_http": true,
     "deny_sse": false,
     "exception_list": [],
     "force_authentication": false
 },

Running MCP Client with MCP HTTP Server

python mcp_client.py --mcp_server  http://0.0.0.0:8001/mcp --mcp_auth_token dev-token tools --list

Expected Behavior

Mode

Result

remediate: false

Connection succeeds, WARN logged

remediate: true

Connection blocked

OTEL Violation (Observe)

{
  "body": "mcp_policy_violation",
  "severity_number": 13,
  "severity_text": "WARN",
  "attributes": {
    "description": "Policy: check_allowed_http_servers | Type: HTTP (no ssl/tls) connections not allowed | Description: HTTP server URL 'http://127.0.0.1:8001/mcp' is not permitted | Location: message.url | Detected Content: http://127.0.0.1:8001/mcp",
    "domain": "gyro",
    "event_name": "mcp_policy_violation",
    "origin": "uc-gyro"
   "type": "log"
  }
}

{
  "body": "mcp_policy_violation",
  "severity_number": 13,
  "severity_text": "WARN",
  "attributes": {
    "description": "Policy: check_allowed_http_servers | Type: HTTP (no ssl/tls) connections not allowed | Description: HTTP server URL 'http://127.0.0.1:8001/mcp' is not permitted | Location: message.url | Detected Content: http://127.0.0.1:8001/mcp",
    "domain": "gyro",
    "event_name": "mcp_policy_violation",
    "origin": "uc-gyro"
    "type": "log"
  }
}

OTEL Violation (Enforce)

{
  "body": "mcp_policy_violation",
  "severity_number": 17,
  "severity_text": "ERROR",
  "attributes": {
    "description": "Policy: check_allowed_http_servers | Type: HTTP (no ssl/tls) connections not allowed | Description: HTTP server URL 'http://127.0.0.1:8001/mcp' is not permitted | Location: message.url | Detected Content: http://127.0.0.1:8001/mcp",
    "domain": "gyro",
    "event_name": "mcp_policy_violation",
    "hostid": "ip-172-31-22-6",
    "origin": "acoustic Python sensor",
    "remediation_kind": "block",
    "sensor_id": 2692,
    "source_event_id": 1,
    "type": "remediation"
  },
  "scope": {
    "name": "bluerockd"
  },
  "resource": {
    "service.name": "bluerock"
  }
}

{
  "body": "mcp_policy_violation",
  "severity_number": 17,
  "severity_text": "ERROR",
  "attributes": {
    "description": "Policy: check_allowed_http_servers | Type: HTTP (no ssl/tls) connections not allowed | Description: HTTP server URL 'http://127.0.0.1:8001/mcp' is not permitted | Location: message.url | Detected Content: http://127.0.0.1:8001/mcp",
    "domain": "gyro",
    "event_name": "mcp_policy_violation",
    "hostid": "ip-172-31-22-6",
    "origin": "acoustic JavaScript sensor",
    "remediation_kind": "block",
    "sensor_id": 2692,
    "source_event_id": 1,
    "type": "remediation"
  },
  "scope": {
    "name": "bluerockd"
  },
  "resource": {
    "service.name": "bluerock"
  }
}

Deny HTTP Server with Exception

Policy Configuration

   "http_servers": {
     "deny_http": true,
     "deny_sse": false,
     "exception_list": [" http://0.0.0.0:8001/mcp"],
     "force_authentication": false
    },

Running MCP Client with MCP HTTP Server

python mcp_client.py --mcp_server  http://0.0.0.0:8001/mcp --mcp_auth_token dev-token tools --list

Expected Behavior

HTTP connections blocked by default. URL in exception list is allowed. No violation event generated.

Example Source Event

{
    "body": {
        "context": {
            "process": {
                "pid": 58843
            }
        },
        "entity_id": "8ec00313-5e83-4d60-be2f-f90297f0f451",
        "server": {
            "auth": true,
            "type": "http",
            "url": "http://127.0.0.1:8001/mcp"
        }
    },
    "severity_number": 9,
    "severity_text": "INFO",
    "attributes": {
        "domain": "gyro",
        "event_name": "js_mcp_client_connect",
        "hostid": "ip-172-31-8-12",
        "origin": "bluejs",
        "sensor_id": 5722,
        "source_event_id": 2,
        "type": "event"
    },
    "scope": {
        "name": "bluerockd"
    },
    "resource": {
        "service.name": "bluerock"
    }

Deny any mcp server connection without authentication

Policy Configuration

"http_servers": {
    "deny_http": false,
    "deny_sse": false,
    "exception_list": [],
    "force_authentication": true
},

Running MCP Client with MCP HTTP Server

python mcp_client.py --mcp_server  http://0.0.0.0:8001/mcp  tools --list

Expected Behavior

Mode

Result

remediate: false

Unauthenticated connection allowed, WARN logged

remediate: true

Unauthenticated connection blocked

OTEL Violation (Observe)

{
  "body": "mcp_policy_violation",
  "severity_number": 13,
  "severity_text": "WARN",
  "attributes": {
    "description": "Policy: check_allowed_http_servers | Type: Unauthenticated HTTP request are not permited | Description: Unauthenticated HTTP request to http://127.0.0.1:8001/mcp | Location: message.url | Detected Content: http://127.0.0.1:8001/mcp",
    "domain": "gyro",
    "event_name": "mcp_policy_violation",
    "origin": "uc-gyro",
    "type": "log"
  }
}

{
  "body": "mcp_policy_violation",
  "severity_number": 13,
  "severity_text": "WARN",
  "attributes": {
    "description": "Policy: check_allowed_http_servers | Type: Unauthenticated HTTP request are not permited | Description: Unauthenticated HTTP request to http://127.0.0.1:8001/mcp | Location: message.url | Detected Content: http://127.0.0.1:8001/mcp",
    "domain": "gyro",
    "event_name": "mcp_policy_violation",
    "origin": "uc-gyro",
    "type": "log"
  }
}

OTEL Violation (Enforce)

{
    "body": "mcp_policy_violation",
    "severity_number": 17,
    "severity_text": "ERROR",
    "attributes": {
    "description": "Policy: check_allowed_http_servers | Type: Unauthenticated HTTP request not permitted | Description: Unauthenticated HTTP request to http://127.0.0.1:8001/mcp | Location: message.url | Detected Content: http://127.0.0.1:8001/mcp"
        "domain": "gyro",
        "event_name": "mcp_policy_violation",
        "hostid": "ip-172-31-22-6",
        "origin": "acoustic Python sensor",
        "remediation_kind": "block",
        "sensor_id": 2692,
        "source_event_id": 1,
        "type": "remediation"
    },
    "scope": {
        "name": "bluerockd"
    },
    "resource": {
        "service.name": "bluerock"
    }
}

{
  "body": "mcp_policy_violation",
  "severity_number": 17,
  "severity_text": "ERROR",
  "attributes": {
"description": "Policy: check_allowed_http_servers | Type: HTTP (no ssl/tls) connections not allowed | Description: HTTP server URL 'http://127.0.0.1:8001/mcp' is not permitted | Location: message.url | Detected Content: http://127.0.0.1:8001/mcp",
"origin": "acoustic JavaScript sensor",
    "domain": "gyro",
    "event_name": "mcp_policy_violation",
    "hostid": "ip-172-31-8-12",
    "remediation_kind": "block",
    "sensor_id": 5722,
    "source_event_id": 2,
    "type": "remediation"
  },
  "scope": {
    "name": "bluerockd"
  },
  "resource": {
    "service.name": "bluerock"
  }
}

MCP Tool Execution Control

Tool Overwrite - Denied tools are excluded from the tool/list

Policy Configuration

 {
 "server": {
      "enable": true,
      "remediate": true,
      "tools": {"FileServer": {"deny_list": ["remove_file"]}},
      "prompts": {},
      "resources": {}
  }

Running MCP Client with MCP HTTP Server

python mcp_client.py --mcp_server  http://0.0.0.0:8001/mcp --mcp_auth_token dev-token tools --list

Expected Behavior

Mode

Result

remediate: false

Tool is listed and violation logged

remediate: true

Tool is excluded from the list of tools.

OTEL Violation (Observe)

{
  "body": "mcp_policy_violation",
  "severity_number": 13,
  "severity_text": "WARN",
  "attributes": {
    "description": "Tools stripped from tool discovery result from server 'FileServer'. Blocked tools: remove_file",
    "domain": "gyro",
    "event_name": "mcp_policy_violation",
    "origin": "uc-gyro",
    "type": "log"
  }
}

{
  "body": "mcp_policy_violation",
  "severity_number": 13,
  "severity_text": "WARN",
  "attributes": {
    "description": "Tools stripped from tool discovery result from server 'FileServer'. Blocked tools: remove_file",
    "domain": "gyro",
    "event_name": "mcp_policy_violation",
    "origin": "uc-gyro",
    "type": "log"
  }
}

OTEL Violation (Enforce)

{
  "body": "mcp_policy_violation",
  "severity_number": 17,
  "severity_text": "ERROR",
  "attributes": {
  "description": "Policy: check_patterns_in_tools_resp | Type: pattern detection | Description: Tools stripped from tool discovery result from server 'FileServer' due to forbidden patterns | Location: tools.response | Detected Content: N/A"
    "domain": "gyro",
    "event_name": "mcp_policy_violation",
    "hostid": "ip-172-31-22-6",
    "origin": "acoustic Python sensor",
    "remediation_kind": "block",
    "sensor_id": 9873,
    "source_event_id": 6,
    "type": "remediation"
  },
  "scope": {
    "name": "bluerock"
  },
  "resource": {
    "service.name": "bluerock"
  }
}

{
  "body": "mcp_policy_violation",
  "severity_number": 17,
  "severity_text": "ERROR",
  "attributes": {
  "description": "Policy: check_patterns_in_tools_resp | Type: pattern detection | Description: Tools stripped from tool discovery result from server 'FileServer' due to forbidden patterns | Location: tools.response | Detected Content: N/A"
    "domain": "gyro",
    "event_name": "mcp_policy_violation",
    "hostid": "ip-172-31-22-6",
    "origin": "acoustic JavaScript sensor",
    "remediation_kind": "block",
    "sensor_id": 2692,
    "source_event_id": 1,
    "type": "remediation"
  },
  "scope": {
    "name": "bluerockd"
  },
  "resource": {
    "service.name": "bluerock"
  }
}

Deny Specific Tool from Specific MCP Server

Policy Configuration

 "server": {
      "enable": true,
      "remediate": true,
      "tools": {"FileServer": {"deny_list": ["remove_file"]}},
      "prompts": {},
      "resources": {}
  }

Running MCP Client with MCP HTTP Server

python mcp_client.py --mcp_server  http://0.0.0.0:8001/mcp --mcp_auth_token dev-token tools --tool_cmd remove_file --tool_args '{"filename" : "testfile.tmp"}'

Expected Behavior

Mode

Result

remediate: false

Tool executes, violation logged

remediate: true

Tool call blocked

OTEL Violation (Observe)

{
  "body": "mcp_policy_violation",
  "severity_number": 13,
  "severity_text": "WARN",
  "attributes": {
    "description": "Policy: check_client_request_allowed | Type: Client Tools Request Denied | Description: Tool requested is not allowed | Location: message.params.name | Detected Content: Server: '\"FileServer\"', Tool: '\"list_files\"'",
    "domain": "gyro",
    "event_name": "mcp_policy_violation",
    "origin": "uc-gyro",
    "type": "log"
  }
}

{
  "body": "mcp_policy_violation",
  "severity_number": 13,
  "severity_text": "WARN",
  "attributes": {
    "description": "Policy: check_client_request_allowed | Type: Client Tools Request Denied | Description: Tool requested is not allowed | Location: message.params.name | Detected Content: Server: '\"FileServer\"', Tool: '\"list_files\"'",
    "domain": "gyro",
    "event_name": "mcp_policy_violation",
    "origin": "uc-gyro",
     "type": "log"
  }
}

OTEL Violation (Enforce)

{
    "body": "mcp_policy_violation",
    "severity_number": 17,
    "severity_text": "ERROR",
    "attributes": {
        "description": "Policy: check_client_request_allowed | Type: Client Tools Request Denied | Description: Tool requested is not allowed | Location: message.params.name | Detected Content: Server: '\"FileServer\"', Tool: '\"list_files\"'",
        "domain": "gyro",
        "event_name": "mcp_policy_violation",
        "hostid": "ip-172-31-22-6",
        "origin": "acoustic Python sensor",
        "remediation_kind": "block",
        "sensor_id": 9197,
        "source_event_id": 10,
        "type": "remediation"
    },
    "scope": {
        "name": "bluerockd"
    },
    "resource": {
        "service.name": "bluerock"
    }
}

{
    "body": "mcp_policy_violation",
    "severity_number": 17,
    "severity_text": "ERROR",
    "attributes": {
        "description": "Policy: check_client_request_allowed | Type: Client Tools Request Denied | Description: Tool requested is not allowed | Location: message.params.name | Detected Content: Server: '\"FileServer\"', Tool: '\"list_files\"'",
        "domain": "gyro",
        "event_name": "mcp_policy_violation",
        "hostid": "ip-172-31-22-6",
        "origin": "acoustic JavaScript sensor",
        "remediation_kind": "block",
        "sensor_id": 9197,
        "source_event_id": 10,
        "type": "remediation"
    },
    "scope": {
        "name": "bluerockd"
    },
    "resource": {
        "service.name": "bluerock"
    }
}

Tool Argument Pattern Detection

Policy Configuration

"forbidden_tool_argument_patterns": [
  "\\b(?:ls|cat|grep|ps|rm|mv|cp|chmod|chown)\\b"
]

Running MCP Client with MCP HTTP Server

python mcp_client.py \
--mcp_server http://0.0.0.0:8001/mcp \
--mcp_auth_token dev-token \
tools \
--tool_cmd read_file \
--tool_args '{"filename":"test_script.bash"}'

If the tool argument contains commands matching the built-in forbidden patterns (for example cat, rm, grep, etc.), the request triggers the built-in MCP audit policy.

Expected Behavior

Mode

Result

remediate: false

Tool executes, WARN logged

remediate: true

Tool blocked

OTEL Violation (Observe)

{
  "body": "mcp_policy_violation",
  "severity_number": 13,
  "severity_text": "WARN",
  "attributes": {
    "description": "Policy: check_patterns_in_tools_arguments | Type: pattern detection | Description: \\b(?:ls|cat|grep|ps|rm|mv|cp|chmod|chown)\\b: '\"cat\" (0..3)' | Location: arguments.command | Detected Content: cat test_script.bash",
    "domain": "gyro",
    "event_name": "mcp_policy_violation",
    "origin": "uc-gyro",
    "type": "log"
  }
}

{
  "body": "mcp_policy_violation",
  "severity_number": 13,
  "severity_text": "WARN",
  "attributes": {
    "description": "Policy: check_patterns_in_tools_arguments | Type: pattern detection | Description: \\b(?:ls|cat|grep|ps|rm|mv|cp|chmod|chown)\\b: '\"cat\" (0..3)' | Location: arguments.command | Detected Content: cat test_script.bash",
    "domain": "gyro",
    "event_name": "mcp_policy_violation",
    "origin": "uc-gyro",
    "type": "log"
  }
}

OTEL Violation (Enforce)

{
  "body": "mcp_policy_violation",
  "severity_number": 17,
  "severity_text": "ERROR",
  "attributes": {
   "description": "Policy: check_patterns_in_tools_arguments | Type: pattern detection | Description: \\b(?:ls|cat|grep|ps|rm|mv|cp|chmod|chown)\\b: '\"cat\" (0..3)' | Location: arguments.command | Detected Content: cat test_script.bash",
    "domain": "gyro",
    "event_name": "mcp_policy_violation",
    "hostid": "ip-172-31-22-6",
    "origin": "acoustic Python sensor",
    "remediation_kind": "block",
    "sensor_id": 7345,
    "source_event_id": 16,
    "type": "remediation"
  },
  "scope": {
    "name": "bluerockd"
  },
  "resource": {
    "service.name": "bluerock"
  }
}

{
  "body": "mcp_policy_violation",
  "severity_number": 17,
  "severity_text": "ERROR",
  "attributes": {
   "description": "Policy: check_patterns_in_tools_arguments | Type: pattern detection | Description: \\b(?:ls|cat|grep|ps|rm|mv|cp|chmod|chown)\\b: '\"cat\" (0..3)' | Location: arguments.command | Detected Content: cat test_script.bash",
    "domain": "gyro",
    "event_name": "mcp_policy_violation",
    "hostid": "ip-172-31-8-12",
    "origin": "acoustic JavaScript sensor",
    "remediation_kind": "block",
    "sensor_id": 5722,
    "source_event_id": 2,
    "type": "remediation"
  },
  "scope": {
    "name": "bluerockd"
  },
  "resource": {
    "service.name": "bluerock"
  }
}

Tool Response Pattern Detection

Policy Configuration

"forbidden_tool_response_patterns": [ "\\b(?:bash|sh|curl|wget|nc)\\b"]

Running MCP Client with MCP HTTP Server

python mcp_client.py --mcp_server  http://0.0.0.0:8001/mcp --mcp_auth_token dev-token tools  --tool_cmd read_file --tool_args '{"filename":"unsafetext.txt"}'

Expected Behavior

If tool output contains forbidden patterns:

Mode

Result

remediate: false

Response allowed, violation logged

remediate: true

Response blocked

OTEL Violation (Observe)

{
  "body": "mcp_policy_violation",
  "severity_number": 13,
  "severity_text": "WARN",
  "attributes": {
    "description": "Policy: check_patterns_in_tool_resp | Type: pattern detection | Description: \\b(?:curl|wget|ssh|scp|rsync|nc|netcat)\\b: '\"nc\" (0..2)' | Location: content[0].[\"text\"] | Detected Content: nc -lnvp 1234\n",
    "domain": "gyro",
    "event_name": "mcp_policy_violation",
    "origin": "uc-gyro",
    "type": "log"
  }
}

{
  "body": "mcp_policy_violation",
  "severity_number": 13,
  "severity_text": "WARN",
  "attributes": {
    "description": "Policy: check_patterns_in_tool_resp | Type: pattern detection | Description: \\b(?:curl|wget|ssh|scp|rsync|nc|netcat)\\b: '\"nc\" (0..2)' | Location: content[0].[\"text\"] | Detected Content: nc -lnvp 1234\n",
    "domain": "gyro",
    "event_name": "mcp_policy_violation",
    "origin": "uc-gyro",
    "type": "log"
  }
}

OTEL Violation (Enforce)

{
    "body": "mcp_policy_violation",
    "severity_number": 17,
    "severity_text": "ERROR",
    "attributes": {
    "description": "Policy: check_patterns_in_tools_arguments | Type: pattern detection | Description: \\b(?:ls|cat|grep|ps|rm|mv|cp|chmod|chown)\\b: '\"cat\" (0..3)' | Location: arguments.command | Detected Content: cat test_script.bash",
    "origin": "acoustic Python sensor",
        "domain": "gyro",
        "event_name": "mcp_policy_violation",
        "hostid": "ip-172-31-22-6",
        "origin": "acoustic Python sensor",
        "remediation_kind": "block",
        "sensor_id": 9874,
        "source_event_id": 6,
        "type": "remediation"
    },
    "scope": {
        "name": "bluerockd"
    },
    "resource": {
        "service.name": "bluerock"
    }
}

{
    "body": "mcp_policy_violation",
    "severity_number": 17,
    "severity_text": "ERROR",
    "attributes": {
    "description": "Policy: check_patterns_in_tools_arguments | Type: pattern detection | Description: \\b(?:ls|cat|grep|ps|rm|mv|cp|chmod|chown)\\b: '\"cat\" (0..3)' | Location: arguments.command | Detected Content: cat test_script.bash",
        "origin": "acoustic JavaScript sensor",
        "domain": "gyro",
        "event_name": "mcp_policy_violation",
        "hostid": "ip-172-31-22-6",
        "origin": "acoustic JavaScript sensor",
        "remediation_kind": "block",
        "sensor_id": 9874,
        "source_event_id": 6,
        "type": "remediation"
    },
    "scope": {
        "name": "bluerockd"
    },
    "resource": {
        "service.name": "bluerock"
    }
}

MCP Resource Access Control

Deny Specific Resource

Policy Configuration

"server": {
    "enable": true,
    "remediate": true,
    "tools": {},
    "prompts": {},
    "resources": {"FileServer": {"deny_list": ["config://app-settings"]}}
},

Running MCP Client with MCP HTTP Server

Run the MCP client with a resource URI that matches the deny_list.

python mcp_client.py --mcp_server  http://0.0.0.0:8001/mcp --mcp_auth_token dev-token  resources --resource_uri config://app-settings

Expected Behavior

Mode

Result

remediate: false

Resource allowed, violation logged

remediate: true

Resource access denied

OTEL Violation (Observe)

{
  "body": "mcp_policy_violation",
  "severity_number": 13,
  "severity_text": "WARN",
  "attributes": {
    "description": "Policy: check_server_request_allowed | Type: Server Resources Request Denied | Description: Resource requested is not allowed | Location: message.params.uri | Detected Content: Server: '\"FileServer\"', Resource: '\"config://app-settings\"'",
    "domain": "gyro",
    "event_name": "mcp_policy_violation",
    "origin": "uc-gyro",
     "type": "log"
  }
}

{
  "body": "mcp_policy_violation",
  "severity_number": 13,
  "severity_text": "WARN",
  "attributes": {
    "description": "Policy: check_server_request_allowed | Type: Server Resources Request Denied | Description: Resource requested is not allowed | Location: message.params.uri | Detected Content: Server: '\"FileServer\"', Resource: '\"config://app-settings\"'",
    "domain": "gyro",
    "event_name": "mcp_policy_violation",
    "origin": "uc-gyro",
    "type": "log"
  }
}

OTEL Violation (Enforce)

{
    "body": "mcp_policy_violation",
    "severity_number": 17,
    "severity_text": "ERROR",
    "attributes": {
        "description": "Policy: check_server_request_allowed | Type: Server Resources Request Denied | Description: Resource requested is not allowed | Location: message.params.uri | Detected Content: Server: '\"FileServer\"', Resource: '\"config://app-settings\"'",
        "domain": "gyro",
        "event_name": "mcp_policy_violation",
        "hostid": "ip-172-31-22-6",
        "origin": "acoustic Python sensor",
        "remediation_kind": "block",
        "sensor_id": 7345,
        "source_event_id": 11,
        "type": "remediation"
    },
    "scope": {
        "name": "bluerockd"
    },
    "resource": {
        "service.name": "bluerock"
    }
}

{
    "body": "mcp_policy_violation",
    "severity_number": 17,
    "severity_text": "ERROR",
    "attributes": {
        "description": "Policy: check_patterns_in_tool_resp | Type: pattern detection | Description: \\b(?:curl|wget|ssh|scp|rsync|nc|netcat)\\b: '\"nc\" (0..2)' | Location: content[0].[\"text\"] | Detected Content: nc -lnvp 1234\n",
        "domain": "gyro",
        "event_name": "mcp_policy_violation",
        "hostid": "ip-172-31-22-6",
        "origin": "acoustic JavaScript sensor",
        "remediation_kind": "block",
        "sensor_id": 9873,
        "source_event_id": 6,
        "type": "remediation"
    },
    "scope": {
        "name": "bluerockd"
    },
    "resource": {
        "service.name": "bluerock"
    }

MCP Prompt Execution Control

Deny Specific Prompt

Policy Configuration

"server": {
    "enable": true,
    "remediate": true,
    "tools": {},
    "prompts": {"FileServer": {"deny_list": ["useful_helper_prompt"]}},
    "resources": {}
},

Running MCP Client with MCP HTTP Server

python mcp_client.py --mcp_server  http://0.0.0.0:8001/mcp --mcp_auth_token dev-token prompts --prompt_name useful_helper_prompt --prompt_args '{"lang": "java"}'

Expected Behavior

Mode

Result

remediate: false

Prompt execution proceeds, but a violation event is generated.

remediate: true

Prompt invocation is blocked and the MCP client execution is terminated.

OTEL Violation (Observe)

{
  "body": "mcp_policy_violation",
  "severity_number": 13,
  "severity_text": "WARN",
  "attributes": {
    "description": "Policy: check_server_request_allowed | Type: Server Prompts Request Denied | Description: Prompt requested is not allowed | Location: message.params.name | Detected Content: Server: '\"FileServer\"', Prompt: '\"useful_helper_prompt\"'",
    "domain": "gyro",
    "event_name": "mcp_policy_violation",
    "origin": "uc-gyro",
    "type": "log"
  }
}

{
  "body": "mcp_policy_violation",
  "severity_number": 13,
  "severity_text": "WARN",
  "attributes": {
    "description": "Policy: check_server_request_allowed | Type: Server Prompts Request Denied | Description: Prompt requested is not allowed | Location: message.params.name | Detected Content: Server: '\"FileServer\"', Prompt: '\"useful_helper_prompt\"'",
    "domain": "gyro",
    "event_name": "mcp_policy_violation",
    "origin": "uc-gyro",
    "type": "log"
  }
}

OTEL Violation (Enforce)

{
    "body": "mcp_policy_violation",
    "severity_number": 17,
    "severity_text": "ERROR",
    "attributes": {
    "description": "Policy: check_server_request_allowed | Type: Server Resources Request Denied | Description: Resource requested is not allowed | Location: message.params.uri | Detected Content: Server: '\"FileServer\"', Resource: '\"config://app-settings\"'",
        "domain": "gyro",
        "event_name": "mcp_policy_violation",
        "hostid": "ip-172-31-22-6",
        "origin": "acoustic Python sensor",
        "remediation_kind": "block",
        "sensor_id": 7345,
        "source_event_id": 16,
        "type": "remediation"
    },
    "scope": {
        "name": "bluerockd"
    },
    "resource": {
        "service.name": "bluerock"
    }
}

{
  "body": "mcp_policy_violation",
  "severity_number": 17,
  "severity_text": "ERROR",
  "attributes": {
    "description": "Policy: check_server_request_allowed | Type: Server Prompts Request Denied | Description: Prompt requested is not allowed | Location: message.params.name | Detected Content: Server: '\"FileServer\"', Prompt: '\"useful_helper_prompt\"'",
    "domain": "gyro",
    "event_name": "mcp_policy_violation",
    "hostid": "ip-172-31-8-12",
    "origin": "acoustic JavaScript sensor",
    "remediation_kind": "block",
    "sensor_id": 5722,
    "source_event_id": 2,
    "type": "remediation"
  },
  "scope": {
    "name": "bluerockd"
  },
  "resource": {
    "service.name": "bluerock"
  }
}

Prompt Argument Pattern Detection

Policy Configuration

"forbidden_prompt_arg_patterns": [
  "\\b(?:bash|sh|curl|wget|nc|sudo)\\b"
]

Running MCP Client with MCP HTTP Server

python mcp_client.py --mcp_server  http://0.0.0.0:8001/mcp --mcp_auth_token dev-token prompts --prompt_name useful_helper_prompt --prompt_args '{"lang": "bash"}'

Expected Behavior

Mode

Result

remediate: false

Prompt execution proceeds, but a violation event is generated.

remediate: true

Prompt invocation is blocked and the MCP client execution is terminated.

OTEL Violation (Observe)

{
  "body": "mcp_policy_violation",
  "severity_number": 13,
  "severity_text": "WARN",
  "attributes": {
    "description": "Policy: check_patterns_in_prompt_arguments | Type: pattern detection | Description: \\b(?:bash|sh|zsh|fish|csh|tcsh)\\b: '\"bash\" (0..4)' | Location: arguments.lang | Detected Content: bash",
    "domain": "gyro",
    "event_name": "mcp_policy_violation",
    "origin": "uc-gyro",
    "type": "log"
  }
}

{
  "body": "mcp_policy_violation",
  "severity_number": 13,
  "severity_text": "WARN",
  "attributes": {
    "description": "Policy: check_patterns_in_prompt_arguments | Type: pattern detection | Description: \\b(?:bash|sh|zsh|fish|csh|tcsh)\\b: '\"bash\" (0..4)' | Location: arguments.lang | Detected Content: bash",
    "domain": "gyro",
    "event_name": "mcp_policy_violation",
    "origin": "uc-gyro",
    "type": "log"
  }
}

OTEL Violation (Enforce)

{
    "body": "mcp_policy_violation",
    "severity_number": 17,
    "severity_text": "ERROR",
    "attributes": {
    "description": "Policy: check_patterns_in_prompt_arguments | Type: pattern detection | Description: \\b(?:bash|sh|zsh|fish|csh|tcsh)\\b: '\"bash\" (0..4)' | Location: arguments.lang | Detected Content: bash",
        "domain": "gyro",
        "event_name": "mcp_policy_violation",
        "hostid": "ip-172-31-22-6",
        "origin": "acoustic Python sensor",
        "remediation_kind": "block",
        "sensor_id": 9858,
        "source_event_id": 8,
        "type": "remediation"
    },
    "scope": {
        "name": "bluerockd"
    },
    "resource": {
        "service.name": "bluerock"
    }

{
  "body": "mcp_policy_violation",
  "severity_number": 17,
  "severity_text": "ERROR",
  "attributes": {
    "description": "Policy: check_patterns_in_prompt_arguments | Prompt invocation blocked due to forbidden content: bash",
    "domain": "gyro",
    "event_name": "mcp_policy_violation",
    "hostid": "ip-172-31-8-12",
    "origin": "acoustic JavaScript sensor",
    "remediation_kind": "block",
    "sensor_id": 5722,
    "source_event_id": 2,
    "type": "remediation"
  },
  "scope": {
    "name": "bluerockd"
  },
  "resource": {
    "service.name": "bluerock"
  }
}

Prompt Response Pattern Detection

Policy Configuration

"forbidden_prompt_response_patterns": [ "\\b(?:curl|wget|nc|ssh)\\b"]

Running MCP Client with MCP HTTP Server

python mcp_client.py --mcp_server http://0.0.0.0:8001/mcp --mcp_auth_token dev-token prompts --prompt_name useful_helper_prompt --prompt_args '{ "lang": "java" }'

Expected Behavior

If response contains nc, curl, etc:

Mode

Result

remediate: false

Response allowed, violation logged

remediate: true

Response blocked

OTEL Violation (Observe)

{
  "body": "mcp_policy_violation",
  "severity_number": 13,
  "severity_text": "WARN",
  "attributes": {
    "description": "Policy: check_patterns_in_prompt_resp | Type: pattern detection | Description: \\b(?:curl|wget|ssh|scp|rsync|nc|netcat)\\b: '\"nc\" (76..78)' | Location: messages[0].[\"content\", \"text\"] | Detected Content: You are an expert in java.  create or update file using java code that uses nc.",
    "domain": "gyro",
    "event_name": "mcp_policy_violation",
    "origin": "uc-gyro",
    "type": "log"
  }
}

{
  "body": "mcp_policy_violation",
  "severity_number": 13,
  "severity_text": "WARN",
  "attributes": {
    "description": "Policy: check_patterns_in_prompt_resp | Type: pattern detection | Description: \\b(?:curl|wget|ssh|scp|rsync|nc|netcat)\\b: '\"nc\" (76..78)' | Location: messages[0].[\"content\", \"text\"] | Detected Content: You are an expert in java.  create or update file using java code that uses nc.",
    "domain": "gyro",
    "event_name": "mcp_policy_violation",
    "origin": "uc-gyro",
    "type": "log"
  }
}

OTEL Violation (Enforce)

Please remove existing and add:
{
    "body": "mcp_policy_violation",
    "severity_number": 17,
    "severity_text": "ERROR",
    "attributes": {
        "description": "Policy: check_patterns_in_prompt_resp | Type: pattern detection | Description: \\b(?:curl|wget|ssh|scp|rsync|nc|netcat)\\b: '\"nc\" (53..55)' | Location: messages[0].[\"content\", \"text\"] | Detected Content: You are an expert in java. write java code that uses nc.",
        "domain": "gyro",
        "event_name": "mcp_policy_violation",
        "hostid": "ip-172-31-22-6",
        "origin": "acoustic Python sensor",
        "remediation_kind": "block",
        "sensor_id": 9859,
        "source_event_id": 8,
        "type": "remediation"
    },
    "scope": {
        "name": "bluerockd"
    },
    "resource": {
        "service.name": "bluerock"
    }
}

{
    "body": "mcp_policy_violation",
    "severity_number": 17,
    "severity_text": "ERROR",
    "attributes": {
        "description": "Policy: check_patterns_in_prompt_resp | Type: pattern detection | Description: \\b(?:curl|wget|ssh|scp|rsync|nc|netcat)\\b: '\"nc\" (53..55)' | Location: messages[0].[\"content\", \"text\"] | Detected Content: You are an expert in java. write java code that uses nc.",
        "domain": "gyro",
        "event_name": "mcp_policy_violation",
        "hostid": "ip-172-31-22-6",
        "origin": "acoustic JavaScript sensor",
        "remediation_kind": "block",
        "sensor_id": 9859,
        "source_event_id": 8,
        "type": "remediation"
    },
    "scope": {
        "name": "bluerockd"
    },
    "resource": {
        "service.name": "bluerock"
    }
}

Message Size Violation

Policy Configuration

"message_threshold": {
  "enable": true,
  "remediate": true,
  "threshold": 256
}

Running MCP Client with MCP HTTP Server

python mcp_client.py \
--mcp_server http://0.0.0.0:8001/mcp \
--mcp_auth_token dev-token \
tools \
--tool_cmd write_file \
--tool_args '{"filename":"test.txt","content":"<large content>"}'

node --import bluejs tests/mcp_client.js \
--mcp_server http://0.0.0.0:8001/mcp \
--mcp_auth_token dev-token \
tools \
--tool_cmd write_file \
--tool_args '{"filename":"test.txt","content":"<large content>"}'

Expected Behavior

Mode

Behavior

remediate: false

Request proceeds; violation logged (WARN)

remediate: true

Request proceeds; violation logged (WARN)

OTEL Violation (Observe)

{
  "body": "mcp_policy_violation",
  "severity_number": 13,
  "severity_text": "WARN",
  "attributes": {
    "description": "Policy: check_message_size | Type: Message size limit exceeded | Description: Message size of 272 bytes exceeds threshold of 256 bytes, sent by the Client | Location: message | Detected Content: N/A",
    "domain": "gyro",
    "event_name": "mcp_policy_violation",
    "origin": "uc-gyro",
    "type": "log"
  }
}

{
  "body": "mcp_policy_violation",
  "severity_number": 13,
  "severity_text": "WARN",
  "attributes": {
    "description": "Policy: check_message_size | Type: Message size limit exceeded | Description: Message size of 272 bytes exceeds threshold of 256 bytes, sent by the Client | Location: message | Detected Content: N/A",
    "domain": "gyro",
    "event_name": "mcp_policy_violation",
    "origin": "uc-gyro",
    "type": "log"
  }
}

Summary

Mode

Behavior

remediate: false

Observe mode – Action allowed, WARN logged

remediate: true

Enforce mode – Action blocked, ERROR logged

All violations are emitted as OTEL events and sent to external collector such as AWS CloudWatch based on the configurations.

event_name: mcp_policy_violation
severity_text: WARN or ERROR
type:
- "log" (observe events)
- "remediation" (enforce events)
remediation_kind: "block" (enforce mode only)

PreviousMCP Sensor Observability NextBlueRock Sandbox

Last updated 24 days ago