Govern an MCP tool call
Per-tool specialist Guardian for
stripe.create_refund.
This recipe wires a per-tool Guardian to a real MCP server. The Guardian validates schema, semantic intent, and scope on every call — and rewrites or blocks anything that drifts outside the safe envelope.
Prerequisites
export TRINITITE_API_KEY="tk_test_••••••"
1 — Register the tool
curl https://api.trinitite.ai/v1/mcp/tools \
-H "Authorization: Bearer $TRINITITE_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"tool_id": "stripe.create_refund",
"schema_url": "https://docs.stripe.com/api/refunds/create.json",
"guardian": "stripe-refund-guardian",
"scopes": ["payments:refund:write"],
"deterministic": true
}'
The platform fetches the schema, generates ~3,000 adversarial variations via the Teleological Data Generator, and either reuses an existing pre-built Guardian or trains a fresh one.
2 — Make a governed tool call
curl https://mcp.trinitite.ai/v1/sessions/sess_X/tools/call \
-H "Authorization: Bearer $TRINITITE_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"tool": "stripe.create_refund",
"args": {
"charge": "ch_123",
"amount": 1099,
"reason": "requested_by_customer"
}
}'
The Guardian evaluates pre-call (schema + intent), invokes the upstream MCP, evaluates post-call (response within scope), and writes a receipt at every phase. See the MCP Gateway for the full pipeline.
3 — What gets caught
| Pattern | Outcome | Why |
|---|---|---|
amount: "N/A" (LLM hallucinated a string for an integer) | corrected | Patch replaces with the latest valid amount. |
amount: 999_999_999 (suspiciously huge) | blocked | Outside the safe range learned from your usage. |
reason: "<prompt-injected text>" | corrected | Reason rewritten to one of the enum values. |
| Call outside the granted scope | blocked | Scope enforcement at L4 (route breaker semantics). |
4 — Replay any session
curl https://api.trinitite.ai/v1/mcp/sessions/sess_X/replay \
-H "Authorization: Bearer $TRINITITE_API_KEY"
Returns a phase-by-phase timeline with each receipt, classified as bit_exact, semantic_only, divergent, or original_missing. See Glass Box Ledger.
What's next
→ MCP Gateway — full architecture, two deployment topologies.
→ Cookbook: Govern Claude Code — wire this into a coding agent.
→ Threat Library: T-MCP series — named MCP attacks and expected outcomes.