Skip to main content
A registered MCP server advertises whatever tools it wants — and an agent will happily call any of them. The safe posture is the inverse: decide the short list of tools you actually need, allow exactly those, and deny the rest. That’s an allow-list, and on OrcaRouter you build it out of tool_name_glob rules evaluated on the mcp surface. Every tools/call that crosses the MCP gateway is run through your firewall policy before it reaches the real server. So the allow-list isn’t advisory — a call to a tool you didn’t allow never dispatches.
Policy editing is a console action. The /api/workspace/firewall/* routes authenticate with your session / access token, not a relay sk-orca-… key. Writing rules requires the Developer+ role; any workspace member (down to Viewer) can read policies and the discovered-tools feed.

1. Why a default-deny allow-list for secure mcp tools

A deny-list — “block the dangerous tools” — fails the moment a server adds a new tool, renames one, or you connect a second server. The set of dangerous tools is open-ended; the set you meant to use is small and known. An allow-list inverts the default so the unknown is refused, not admitted:
  • New tools are denied by default. A server that grows a delete_repo tool after you connected it can’t be called until you add it to the allow-list.
  • Scope is per server. The <server>.<tool> namespace lets you allow github.create_issue while denying everything else under github.*.
  • One choke point. The same policy governs the bundled server and every BYO server behind the gateway, so there’s one place to read the allow-list.
Allow-listing pairs naturally with observe mode: turn it on first, let real traffic populate the Discovered Tools feed, then promote the tools you see into explicit allow rules and flip the default to deny.

2. The two pieces

An allow-list is a default_verdict plus an ordered set of rules.

default_verdict: deny

The policy’s fallback for any tools/call no rule matches. Set it to deny and anything you didn’t explicitly allow is blocked. (It also accepts allow and auditaudit is the default.)

allow rules

One rule per tool (or per glob). Each carries a tool_name_glob and a verdict of allow. A tools/call matching the glob resolves to allow and dispatches; everything else falls to the deny default.
The glob is matched against the namespaced tool name — github.create_issue, shell.exec. * matches any tool (use it sparingly; an allow rule with * un-does the whole allow-list). A leading <server>. scopes the glob to one server.

3. One concrete example

You connected a github server and you only want agents to read and open issues — never delete or administer anything. In the console, open Firewall → Policies, set the policy’s default verdict to deny, and add two allow rules:
Ordertool_name_globVerdict
1github.create_issueallow
2github.list_issuesallow
That’s the whole allow-list. With the default at deny:
  • github.create_issue → matches rule 1 → allow, dispatches.
  • github.delete_repo → matches nothing → deny by default.
A denied MCP call comes back to the model as a tool error (firewall deny: …) — the same shape any failing tool returns — so the agent can adapt rather than crash. (On the inbound surface a deny is instead an HTTP 400 with error code firewall_blocked.)
Rules are ordered and evaluated top-down. Don’t put a broad tool_name_glob: github.* allow above your specific deny rules — the first match wins and the wildcard would admit the very tools you meant to exclude. When in doubt, keep the allow-list narrow and lean on the deny default rather than wildcards.

4. Tightening with arguments

A tool name on the allow-list can still be called with bad arguments. Narrow further by adding an args_match clause (JSONPath + an operator like eq, contains, regex, in, or cidr_match) to the rule, or by layering a deny rule above the allow for a specific argument shape — for example, allow github.create_issue but deny it when the target repo isn’t on an approved list. See the firewall rules reference for the full operator set.
sanitize redacts a tool call’s arguments before forwarding — it never touches what a tool returns. For trimming returned content, that’s a different control; see sanitize tool output.

5. Roll it out safely

Flip a whole-server default-deny in production and you risk breaking an agent that quietly depended on a tool you forgot. Two settings de-risk it:
A per-policy flag that downgrades enforcing verdicts to audit. Your deny default and deny rules log [shadow] would deny … instead of blocking, so you can validate the allow-list against real traffic before it bites. Read more in enforcement modes.
A workspace setting that logs every uncovered call as a gap in the Discovered Tools feed. Run it before you write the allow-list to learn exactly which tools your agents call, then promote each into an explicit allow rule.
Once the shadow log is clean — no legitimate call would have been denied — clear shadow_mode and the allow-list enforces.

6. Verify it works

After enforcing, confirm denied tools actually get refused:
  • Dry-run a tools/call against the policy (Developer+) to see the verdict and which rule — or the default — produced it, without sending real traffic. Pass a tool name, surface, and sample args; the engine evaluates them and returns the verdict trace without recording an event.
  • Watch the events. Each blocked call records a firewall event a Developer+ can read in the console; the audit events page covers the feed and its fields.
Prefer not to hand-author each rule? The tight autonomy preset writes a default-deny policy for you (plus deny rules for destructive shell tools and fetch-shaped tool names), then you add back the specific tools you need. See enforcement modes for what each autonomy level installs.

Connect an MCP server

Register a server before you can allow-list its tools.

Firewall: MCP servers

The gateway’s runtime behavior and per-call verdicts.

Firewall rules reference

The full rule DSL — globs, args_match, egress, sanitize.

Dangerous tool calls

The threat an allow-list is built to contain.

Egress limits

Govern where an allowed tool may reach.

Guardrails vs. firewall

When to reach for content policy vs. tool policy.