"Read-only" in MCP setups is often just a suggestion — enforced by docs, prompts, or trust in the agent. In practice, that’s easy to bypass.
Heimdall MCP (a transparent MCP proxy) takes a different approach: it enforces policies in code, not instructions. You define exactly what each server can and cannot do using a simple config file.
Drop a heimdall.config.ts in your repo for local rules, and optionally a global config at ~/.config/heimdall/heimdall.config.ts to enforce baseline restrictions across all projects.
Per-server allow/deny rules for tools, prompts, and resources are enforced at the proxy layer. Blocked calls never reach the real server — they return a clean JSON-RPC error and are still logged with policy.blocked = true.
// heimdall.config.ts — enforced at runtime, not just suggested
export default {
servers: {
filesystem: {
tools: {
allow: ['read_file', 'list_directory'],
deny: ['write_file', 'delete_file'],
},
},
},
} satisfies HeimdallConfig;
heimdall-mcp init # scaffold config
heimdall-mcp health # validate + detect conflicts
Why it matters:
An agent once called write_file in a directory it should never have touched. Nothing stopped it — because “read-only” lived in prompts, not enforcement.
With Heimdall, restrictions are guaranteed at runtime. No prompt can override them. No tool description can lie.
Wrap your MCP servers with this proxy, and you move from trust-based safety → enforced boundaries.
Global rules set a floor your team can’t weaken. Local rules add stricter controls per project. Global deny always wins.
Link: https://github.com/enmanuelmag/heimdall-mcp
Have you run into agents doing things they absolutely shouldn’t? How are you locking that down today?
No responses yet.