KeypostKeypost
Now in private beta

Keypost Policy Model

How policy enforcement works at runtime for MCP pipelines.

What “policy” means in Keypost

In Keypost, a policy is a deterministic rule evaluated at runtime, directly in the request path between an agent and an MCP server. Policies are not advisory and do not rely on agent-side cooperation. Every request is evaluated before a tool is executed.

This allows teams to define clear, enforceable boundaries around what agents can do, under what conditions, and with what limits - without modifying agent code or MCP servers.

Where policies run

Keypost sits between an agent and an MCP server. All tool calls flow through Keypost, where policies are evaluated synchronously before the request is forwarded.

Agent → Keypost → MCP server
         ↑
     Policy engine

Because enforcement happens at the network boundary, policies cannot be bypassed by agent behavior, prompt changes, or SDK inconsistencies.

Policy evaluation pipeline

Policies are evaluated in a fixed, deterministic order. The first policy to deny a request terminates evaluation. Errors fail closed by default.

  • Access control (allow/deny, environment, identity)
  • Constraints (parameter validation, schedules, geo rules)
  • Rate and cost controls (throttles, quotas, budgets)
  • Safety and compliance (DLP checks, field redaction, approvals, auditing)
  • Reliability controls (timeouts, caching, fallback behavior)

This layered approach ensures predictable outcomes and clear failure semantics.

Composability by design

Keypost policies are intentionally small and composable. Most real-world deployments combine three to six policies rather than relying on a single complex rule.

For example, a production MCP pipeline might combine:

  • Deny destructive tools in production
  • Restrict file system paths and parameters
  • Rate-limit expensive tools
  • Enforce per-environment cost budgets
  • Redact sensitive fields (passwords, tokens) from audit logs
  • Require full audit logging for all tool calls

Failure modes and guarantees

  • Fail-closed by default
  • Deterministic policy evaluation
  • No silent bypass or partial enforcement
  • Every decision is logged and auditable

These guarantees are critical for running agents safely in production environments.

Policy enforcement vs. policy in code

Agent-side checks and prompt-based safeguards are fragile and easy to bypass. Keypost enforces policy centrally, at the network boundary, ensuring consistent behavior across agents, teams, and environments.

Complete policy schema

This page describes how policies are evaluated. For the full policy schema - including all supported policy types and configuration options - see the documentation.