A policy-driven execution layer for securely exposing tools to AI agents via the Model Context Protocol (MCP).
Guardrail is an infrastructure library for building secure, governed MCP servers in Go. It provides a deterministic execution pipeline that sits between AI agents and your internal systems — enforcing policies, logging activity, and protecting sensitive resources.
The Model Context Protocol (MCP) allows AI agents to call tools exposed by servers.
However, MCP alone does not provide:
- Fine-grained access control
- Rate limiting
- Execution timeouts
- Audit logging
- Policy enforcement
- Deterministic execution flow
Guardrail solves this by introducing a policy-aware execution engine that wraps tool invocation.
Instead of exposing raw functions to AI agents, Guardrail exposes:
Governed capabilities.
Guardrail separates responsibilities clearly:
MCP Client
↓
Transport (stdio / HTTP)
↓
MCP Adapter
↓
Execution Engine
↓
Tool
- Tool – A capability that can be executed.
- Registry – Stores and manages available tools.
- Invocation – Internal representation of a tool call.
- Executor – Runs tools through a policy pipeline.
- Adapter (MCP) – Bridges MCP protocol to Guardrail core.
The core execution engine is protocol-agnostic and does not depend on MCP.
- Behavior-first tool abstraction
- Strict separation of protocol and execution logic
- Deterministic execution pipeline
- No global state
- Policy-driven extensibility
- Infrastructure-grade naming and structure
type HelloTool struct{}
func (HelloTool) Name() string { return "hello" }
func (HelloTool) Spec() tool.Spec {
return tool.Spec{
Title: "Hello Tool",
Description: "Greets a user by name",
InputSchema: map[string]any{
"type": "object",
"properties": map[string]any{
"name": map[string]any{
"type": "string",
},
},
"required": []any{"name"},
},
}
}
func (HelloTool) Execute(ctx context.Context, input any) (any, error) {
m, _ := input.(map[string]any)
name, _ := m["name"].(string)
return "Hello " + name, nil
}reg := tool.NewRegistry()
_ = reg.Add(HelloTool{})
exec := execution.NewExecutor(reg)adapter, _ := mcpadapter.New("guardrail", "v0.1.0", reg, exec)
_ = adapter.RegisterAllTools()
adapter.Server().Run(context.Background(), &mcp.StdioTransport{})Guardrail automatically:
- Exposes tools via
tools/list - Converts
ToolCall→Invocation - Executes tool via pipeline
- Returns
ToolResult
When a tool is called:
- ToolCall is converted to Invocation
- Executor looks up tool in registry
- Policies (future) run before execution
- Tool executes
- Policies run after execution
- Result is returned to adapter
The execution engine is deterministic and safe to extend.
- Policy engine (Timeout, Role, RateLimit)
- Audit logging
- OpenTelemetry integration
- Resource and Prompt support
- HTTP transport
- Structured input validation
- Tool annotations and metadata
Early development (MVP phase).
Core abstractions are in place:
- Tool
- Spec
- Registry
- Invocation
- Executor
- Minimal MCP adapter
Guardrail treats AI tool exposure as infrastructure.
Instead of:
“Here’s a function the AI can call.”
Guardrail provides:
“Here’s a governed capability with enforced boundaries.”