agent-policy-builder-mcp

GlassTape/agent-policy-builder-mcp

3.3

If you are the rightful owner of agent-policy-builder-mcp and would like to certify it and/or have it hosted online, please leave a comment on the right or send an email to dayong@mcphub.com.

GlassTape Agent Policy Builder is an MCP server that transforms natural language into AI governance policies.

Tools
8
Resources
0
Prompts
0

🧩 GlassTape Policy Builder MCP Server

License MCP Python

Transform natural language into production-ready AI governance policies.

GlassTape Policy Builder is an open-source MCP server that converts natural-language security requirements into Cerbos YAML policies with automated validation, testing, and red-teaming.
It enables security and engineering teams to integrate AI agents and applications with policy-as-code frameworks—bringing zero-trust guardrails to tool-call interception, data access, and model workflows.

🚀 Features

  • ⚙️ Natural-Language to Policy – Generate Cerbos policies from plain English using Claude or AWS Q
  • 🧠 Automated Validation – Uses the Cerbos CLI (cerbos compile, cerbos test) for syntax and logic checks
  • 🧪 Red-Team Analysis – 6-point security analysis with automatic improvement suggestions
  • 🧩 MCP Integration – Works natively in IDEs like Cursor, Zed, and Claude Desktop
  • 🔒 Air-Gapped Operation – Local-first design with no external dependencies
  • 🏷️ Topic-Based Governance – 40+ content topics with safety categorization
  • 🧾 Compliance Templates – Built-in templates for SOX, HIPAA, PCI-DSS, and EU AI Act

🚀 Quick Start

1. Prerequisites

Install Cerbos CLI (required for policy validation):

# macOS
brew install cerbos/tap/cerbos

# Linux
curl -L https://github.com/cerbos/cerbos/releases/latest/download/cerbos_Linux_x86_64 \
  -o /usr/local/bin/cerbos && chmod +x /usr/local/bin/cerbos

# Verify installation
cerbos --version

2. Install from Source

# Clone the repository
git clone https://github.com/glasstape/glasstape-policy-builder-mcp.git
cd glasstape-policy-builder-mcp/agent-policy-builder-mcp

# Basic installation
pip install -e .

# With optional LLM support (for server-side natural language parsing)
pip install -e ".[anthropic]"  # Anthropic Claude
pip install -e ".[openai]"     # OpenAI GPT
pip install -e ".[llm]"        # All LLM providers

# Development installation
pip install -e ".[dev]"

3. Configure Your MCP Client

Claude Desktop (~/Library/Application Support/Claude/claude_desktop_config.json):

{
  "mcpServers": {
    "glasstape-policy-builder": {
      "command": "glasstape-policy-builder-mcp"
    }
  }
}

Cursor/Zed: Add similar configuration in your IDE's MCP settings.

Optional: Server-side LLM (for natural language processing):

{
  "mcpServers": {
    "glasstape-policy-builder": {
      "command": "glasstape-policy-builder-mcp",
      "env": {
        "LLM_PROVIDER": "anthropic",
        "ANTHROPIC_API_KEY": "sk-ant-your-key"
      }
    }
  }
}

4. Usage Examples

Generate a Policy (in Claude Desktop or MCP-enabled IDE):

Create a payment policy for AI agents:
- Allow payments up to $50
- Block sanctioned entities
- Limit to 5 transactions per 5 minutes

List Available Templates:

list_templates

Validate a Policy:

validate_policy with policy_yaml: "<your-cerbos-yaml>"

5. Troubleshooting

Cerbos CLI not found:

  • Ensure Cerbos CLI is installed and in your PATH
  • Run cerbos --version to verify installation (note: --version not version)

MCP server not connecting:

  • Check your MCP client configuration
  • Restart your IDE after configuration changes
  • Verify the command path is correct: which glasstape-policy-builder-mcp

Installation fails with "Unable to determine which files to ship":

  • This is a known hatch build issue - ensure you're in the correct directory
  • The pyproject.toml should include [tool.hatch.build.targets.wheel] configuration

Import errors with MCP:

  • Ensure you have the correct MCP imports: from mcp.server import Server
  • Try reinstalling: pip install -e . --force-reinstall

Policy validation fails:

  • Check YAML syntax in generated policy
  • Ensure Cerbos CLI is working: cerbos compile --help
  • Review error messages for specific issues

Command not found after installation:

  • Ensure you have Python 3.10 or higher
  • Check that the entry point is correctly configured in pyproject.toml

🦭 Available Tools

When connected via MCP, you can use these tools in Claude or your IDE:

ToolWhat it does
generate_policyTransform natural language → validated Cerbos YAML with topic governance
validate_policyCheck policy syntax with cerbos compile
test_policyRun test suites against policies with cerbos compile
suggest_improvements6-point security analysis with automatic improvement suggestions
list_templatesBrowse built-in templates (finance, healthcare, AI safety)

Example workflow:

1. "Generate a payment policy for AI agents with $50 limit..."
   → Claude calls generate_policy
   
2. "Show me available financial templates"
   → Claude calls list_templates
   
3. "Test this policy with the test suite"
   → Claude calls test_policy
   
4. "Analyze this policy for security issues"
   → Claude calls suggest_improvements
   
5. "Validate the policy syntax"
   → Claude calls validate_policy

🧪 Example Output

Input:

"Allow AI agents to execute payments up to $50. Block sanctioned entities. 
Limit cumulative hourly amount to $50. Maximum 5 transactions per 5 minutes."

Generated Policy with Topic Governance:

# policies/payment_policy.yaml
apiVersion: api.cerbos.dev/v1
resourcePolicy:
  version: "1.0.0"
  resource: "payment"
  rules:
    - actions: ["execute"]
      effect: EFFECT_ALLOW
      condition:
        match:
          expr: >
            request.resource.attr.amount > 0 &&
            request.resource.attr.amount <= 50 &&
            !(request.resource.attr.recipient in request.resource.attr.sanctioned_entities) &&
            (request.resource.attr.cumulative_amount_last_hour + request.resource.attr.amount) <= 50 &&
            request.resource.attr.agent_txn_count_5m < 5 &&
            has(request.resource.attr.topics) &&
            "payment" in request.resource.attr.topics &&
            !("adult" in request.resource.attr.topics)
    - actions: ["*"]
      effect: EFFECT_DENY

Plus:

  • ✅ Topic-based governance (payment, pii detection)
  • ✅ Safety categorization (G/PG/PG_13/R/adult_content)
  • ✅ 15+ automated test cases
  • ✅ Validated by cerbos compile
  • ✅ 6-point security analysis
  • ✅ Ready-to-deploy bundle

📋 Complete Examples

CategoryExampleDescription
FinancePayment execution with limits
HealthcareHIPAA-compliant PHI access
AI SafetyModel invocation with guardrails
Data AccessGDPR-compliant PII export control
SystemAdmin access with MFA

See for complete examples.

🧱 Architecture

flowchart TD
  A["Natural-language policy request"] --> B["GlassTape MCP Server"]
  B --> C["Intermediate Canonical Policy - JSON"]
  C --> D["Cerbos YAML policy generation"]
  D --> E["Cerbos CLI validation + testing"]
  E --> F["Ready-to-deploy policy bundle"]

Key Innovation: ICP (Intermediate Canonical Policy) serves as a language-agnostic intermediate representation, enabling deterministic generation, policy portability, and formal verification.

🧪 Development

# Clone and setup
git clone https://github.com/glasstape/glasstape-policy-builder-mcp.git
cd glasstape-policy-builder-mcp
pip install -e ".[dev]"

# Run tests
pytest

# Format code
black src/ tests/

🤝 Contributing

We welcome contributions! See for guidelines.

Quick Links:

💪 License

Released under the . © 2025 GlassTape, Inc.

💡 Links

Built with ❤️ by GlassTapeMaking AI agents secure by default.