MCP Tool Gating

Add execution authority
to MCP tools.

Q: Can I connect it to a real control plane?

Yes. Set KILU_BASE_URL and KILU_API_KEY environment variables to point at a running KiLu control plane instance.

Q: Do I need human approval for every tool?

No. Only actions that your policy marks as REQUIRE_CONFIRM need explicit approval. Low-risk actions can be set to ALLOW automatically.

MCP defines how agents connect to tools.
KiLu defines whether those tools are allowed to execute.
Add ALLOW / REQUIRE_CONFIRM / BLOCK before MCP tool execution without rewriting your stack.

Agent / MCP Client ↓ Tool Request ↓ KiLu ALLOW | REQUIRE_CONFIRM | BLOCK ↓ MCP Tool Execution

View MCP Example → Explore the SDK Read Architecture

npm package live Runnable MCP proof Real control plane path Durable decision records

The Problem

MCP solves connectivity, not authority.

MCP is excellent for exposing tools to models and agents. But once a model decides to invoke a tool, most stacks still execute immediately.

That means the model proposes the action and effectively authorizes itself to act.

Prompt guardrails

Can suggest caution, but remain bypassable. No decision record is produced.

Audit logs

Show what happened — after execution. Too late to prevent unwanted side effects.

Scopes / auth metadata

Control access to tools, not whether this specific action should run right now.

What KiLu Adds

A deterministic decision layer before execution.

Model → MCP Tool → Execute
Model → Proposed Tool Action → KiLu → Decision → Execute

ALLOW

Low-risk action proceeds. Grant is issued, receipt is recorded.

REQUIRE_CONFIRM

High-risk action pauses for explicit approval before execution.

BLOCK

Policy-violating action never executes. Denial is recorded as evidence.

Why This Matters

Reasoning is not authority.

A model may be good at selecting tools. That does not mean it should authorize destructive, expensive, or sensitive actions on its own.

send email delete data mutate CRM trigger payment call external write APIs

KiLu separates tool selection from execution authority.

Integration

You do not need to rewrite your MCP stack.

Wrap tool execution, not your whole architecture.

Without KiLu

Tool handler receives request

Tool executes immediately

Approval is ad-hoc or absent

With KiLu

Tool handler submits intent

KiLu returns outcome

Execute only if allowed

Pause if confirmation required

Block if policy denies

TypeScript — before / after

// before — tool executes immediately
server.tool("send_email", schema, async (args) => {
  return sendEmail(args);
});

// after — KiLu gates execution
server.tool("send_email", schema, withKiluGate({
  actor:  "agent:mcp",
  action: "email.send",
}, async (args) => {
  return sendEmail(args);
}));

View Live MCP Example →

Real Proof

Runnable proof available now.

The MCP integration proof runs locally with a mock authority layer and can be pointed at a real KiLu control plane.

Local mock for zero-friction testing

Real SDK path via npm

Real control plane endpoint available

Decisions durably recorded

Open MCP Example → npm package GitHub repo

Comparison

Why KiLu vs common alternatives

Approach	What it does	What it misses
Prompt guardrails	Adds caution to prompts	Not authoritative — bypassable
Audit logs	Records what happened	Too late — action already ran
HITL everywhere	Adds manual pauses	Fatigue, no policy semantics
OAuth / scopes	Controls access	Not decisioning at action time
KiLu	Decides before execution	Explicit authority layer — you control policy

Engineering Value

What this gives an engineering team

Approval-bound tool execution

Explicit outcomes before side effects

Cleaner separation of reasoning and control

Durable decision trail for every tool call

Reusable authority layer across tool surfaces

Works with any MCP server implementation

FAQ

Common questions

Is KiLu a replacement for MCP?

No. MCP stays the tool connectivity layer. KiLu adds execution authority — it decides whether a specific tool invocation should proceed, pause, or be blocked.

Does KiLu replace prompt guardrails?

No. KiLu complements them by making execution decisions explicit and deterministic. Guardrails hint the model; KiLu gates the execution.

Can I run the MCP example locally?

Yes. The MCP example runs with a mock authority layer included in the SDK. No live backend required for development and testing.

Can I connect it to a real control plane?

Yes. Set KILU_BASE_URL and KILU_API_KEY environment variables to point at a running KiLu control plane instance.

Do I need human approval for every tool?

No. Only actions that your policy marks as REQUIRE_CONFIRM need explicit approval. Low-risk actions can be set to ALLOW automatically.

Get Started

Start with one MCP tool.

You do not need to redesign your system.
Wrap one high-risk tool and introduce execution authority incrementally.

View MCP Example → Install SDK Request Pilot

Add execution authorityto MCP tools.