I built a self-hosted authorization runtime for AI agents and MCP tools
I built a self-hosted authorization runtime for AI agents and MCP tools
I’ve been experimenting with running local agents that have:
- shell access
- filesystem access
- MCP tools
- database connectivity
One thing that started bothering me was that most current agent stacks rely heavily on prompts for operational safety.
So I built CapFence:
an OSS deterministic policy runtime that sits between agents and downstream systems.
It evaluates tool calls before execution using local capability policies.
Examples:
- block destructive shell commands
- restrict filesystem access outside a workspace
- require approval for sensitive operations
- replay historical execution traces against updated policies
The MCP gateway support ended up being especially useful because it can proxy/intercept stdio tool calls transparently.
Still early, but I’d appreciate feedback from people self-hosting long-running agents or MCP setups.
Repo: