A new policy engine called 'perso' solves a crucial problem in controlling what Large Language Model (LLM) agents are allowed to do when using tools, offering a precise and scalable permissions system.
Ever wondered how we can control what AI agents are actually allowed to do when they use tools? A new policy engine called 'perso' offers a straightforward and powerful solution to this dilemma, meaning greater control and better security for your applications. When you're building systems on top of the Model Context Protocol (MCP) and letting Large Language Models (LLMs) call tools, a fundamental question quickly arises: who actually checks if an LLM agent is *allowed* to perform that action? The MCP specification defines how tools are discovered and invoked, but it says nothing about who's allowed to call what, or under which conditions. This is entirely left to whoever builds the host system, and often, the default solutions are far from ideal. You either end up with authorization logic scattered across each tool implementation, or a coarse role check that can't look at the specific arguments (like setting a maximum value for a refund). These approaches simply don't scale well once you have more than a couple of roles and tools in your system. That's where 'perso' steps in. It's a neat little project built with Rust, specifically designed as a policy enforcement engine for MCP tool calls. The idea is simple yet powerful: you write your access rules as plain JSON – for example, 'agents can process refunds, but only up to $500,' 'managers can delete records they own,' or 'this tool is blocked unless MFA is verified' – and 'perso' compiles these rules into a single, portable WebAssembly (.wasm) binary. Once you have this binary, you can drop it into any host environment – be it a backend server, an MCP server, an edge function, or even a command-line interface (CLI). In mere microseconds for every tool call, 'perso' answers one critical question: Allow or Deny? The LLM itself never sees or touches the user's role token; the host system owns that, extracted from its own session. 'perso' simply evaluates the tool call against your predefined policy and hands back a clear decision, along with a human-readable reason. Its conditions can check arguments, agent attributes, or resource attributes, and combine these with 'All,' 'Any,' or 'Not' logic. This means that even if an LLM was convinced to try and approve an $800 refund, the rule you set for a $500 limit will stop it. This gives you precise and efficient control over permissions, making your LLM-powered systems safer and more scalable.
