Permit Zero
Stop AI agents from doing things they shouldn't. The action authorization layer — pre-execution, deterministic, policies included. Drop in. Day one.
What is Permit Zero?
Permit Zero is a Model Context Protocol (MCP) server that allows AI assistants like Claude, Cursor, and VS Code to stop ai agents from doing things they shouldn't. the action authorization layer — pre-execution, deterministic, policies included. drop in. day one.
Stop AI agents from doing things they shouldn't. The action authorization layer — pre-execution, deterministic, policies included. Drop in. Day one.
This server falls under the Security category on MCPgee, the world's largest MCP server directory with 33,000+ servers.
Features
- Stop AI agents from doing things they shouldn't. The action
Use Cases
Maintainer
Works with
Installation
Manual Installation
npx permit0Configuration
Configuration Details
claude_desktop_config.json
Performance
Response Metrics
Resource Usage
How to Set Up and Use Permit Zero
Permit0 is a pre-execution action authorization layer for AI agents that intercepts every tool call before it runs and evaluates it against deterministic policies — covering 22 domains and 159 action verbs including email operations, database mutations, payment transfers, and IAM role assignments. Built in Rust with an ed25519-signed audit-chain, it integrates into Claude Code as a PreToolUse hook so no action bypasses the policy engine, and it ships with MCP servers for Gmail and Outlook to enforce email-level controls. Security-conscious teams who need to comply with regulations like the EU AI Act — or who simply cannot afford an AI agent going rogue — deploy Permit0 as the authorization firewall in front of all agent actions.
Prerequisites
- Rust 1.85+ installed (for building the permit0 binary)
- Docker with Docker Compose for running the policy engine and MCP servers
- Claude Code (the PreToolUse hook integration requires it)
- OAuth credentials for the MCP servers you want to protect (e.g. Gmail, Outlook)
- Absolute file paths in config — tilde (~) expansion is not supported
Clone both repositories
Permit0 is split into the policy engine and the MCP server component. Clone both repositories side by side.
git clone https://github.com/permit0-ai/permit0.git
git clone https://github.com/permit0-ai/permit0-mcp.gitStart the policy engine and MCP servers
Build and start each component with Docker Compose. The engine dashboard runs on port 9090, Gmail MCP on 8000, and Outlook MCP on 8001.
cd permit0 && docker compose up -d --build
cd ../permit0-mcp && docker compose up -d --buildExtract the permit0 binary from the container
Copy the compiled permit0 binary out of the Docker image to a location on your PATH for use as a Claude Code hook.
docker create --name _p0tmp permit0-engine:latest
docker cp _p0tmp:/usr/local/bin/permit0 ~/.local/bin/permit0
docker rm _p0tmp
chmod +x ~/.local/bin/permit0Create the Permit0 configuration file
Write the YAML configuration file specifying your policy engine URL, routing mode, organisation domain for recipient classification, and fallback behaviour for unknown actions.
mkdir -p ~/.permit0
cat > ~/.permit0/config.yaml << 'EOF'
remote: "http://127.0.0.1:9090"
hitl_routing: "ui-wait"
org_domain: "yourcompany.com"
unknown: "bypass"
EOFRegister the hook and MCP servers in Claude Code settings
Add the PreToolUse hook and the Permit0 MCP servers to ~/.claude/settings.json. Use absolute paths — tilde expansion is not supported.
{
"hooks": {
"PreToolUse": [{
"hooks": [{
"type": "command",
"command": "/home/user/.local/bin/permit0 hook"
}]
}]
},
"mcpServers": {
"permit0-gmail": {
"type": "http",
"url": "http://localhost:8000/mcp"
},
"permit0-outlook": {
"type": "http",
"url": "http://localhost:8001/mcp"
}
}
}Enable shadow mode for testing
Before enforcing policies in production, set PERMIT0_SHADOW=1 to log authorization decisions without blocking any actions. Review the dashboard at http://localhost:9090/ui/ to audit what would have been blocked.
export PERMIT0_SHADOW=1Permit Zero Examples
Client configuration
Claude Code settings.json showing Permit0 as a PreToolUse hook with Gmail and Outlook MCP servers.
{
"hooks": {
"PreToolUse": [{
"hooks": [{
"type": "command",
"command": "/home/user/.local/bin/permit0 hook"
}]
}]
},
"mcpServers": {
"permit0-gmail": {
"type": "http",
"url": "http://localhost:8000/mcp"
},
"permit0-outlook": {
"type": "http",
"url": "http://localhost:8001/mcp"
}
}
}Prompts to try
Example prompts showing how Permit0 mediates AI agent actions in Claude Code.
- "Send an email to [email protected] with the quarterly report."
- "Delete all emails older than 30 days from my inbox."
- "What actions has the AI agent taken today that were blocked by policy?"
- "Show me the audit trail for the last hour of agent activity."
- "Grant read access to the S3 bucket for the new team member."Troubleshooting Permit Zero
The permit0 hook blocks all tool calls even legitimate ones
Start with PERMIT0_SHADOW=1 to audit without blocking. Then review the dashboard at http://localhost:9090/ui/ and tune your policies to allow the expected actions before removing shadow mode.
Docker Compose fails to start the policy engine
Ensure Docker Desktop (or the Docker daemon) is running and that ports 9090, 8000, and 8001 are not already in use by other processes. Check 'docker compose logs' in the permit0 directory for specific error messages.
Claude Code cannot find the permit0 binary referenced in the hook command
Use the full absolute path to the binary (e.g. /home/user/.local/bin/permit0) in settings.json. Tilde (~) expansion is not supported in the hook command field. Verify the path with 'which permit0' or 'ls -la ~/.local/bin/permit0'.
Frequently Asked Questions about Permit Zero
What is Permit Zero?
Permit Zero is a Model Context Protocol (MCP) server that stop ai agents from doing things they shouldn't. the action authorization layer — pre-execution, deterministic, policies included. drop in. day one. It connects AI assistants to external tools and data sources through a standardized interface.
How do I install Permit Zero?
Follow the installation instructions on the Permit Zero GitHub repository. Clone the repo, install dependencies, and add the server config to your AI client.
Which AI clients work with Permit Zero?
Permit Zero works with all major MCP-compatible AI clients including Claude Desktop, Claude Code, Cursor, VS Code (GitHub Copilot), Windsurf, and Cline.
Is Permit Zero free to use?
Yes, Permit Zero is open source and available under the Apache-2.0 license. You can use it freely in both personal and commercial projects.
Permit Zero Alternatives — Similar Security Servers
Looking for alternatives to Permit Zero? Here are other popular security servers you can use with Claude, Cursor, and VS Code.
Casdoor
★ 13.6kAn open-source Agent-first Identity and Access Management (IAM) /LLM MCP & agent gateway and auth server with web UI supporting OpenClaw, MCP, OAuth, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA, Face ID, Google Workspace, Azure AD
ghidraMCP
★ 9.0kAn Model Context Protocol server that enables LLMs to autonomously reverse engineer applications by exposing Ghidra's decompilation and analysis tools. It allows AI agents to list code structures, rename methods, and analyze binaries directly through
HexStrike AI
★ 8.9kHexStrike AI MCP Agents is an advanced MCP server that lets AI agents (Claude, GPT, Copilot, etc.) autonomously run 150+ cybersecurity tools for automated pentesting, vulnerability discovery, bug bounty automation, and security research. Seamlessly b
IDA Pro MCP
★ 8.7kEnables AI-assisted reverse engineering in IDA Pro by providing tools to analyze binaries, decompile functions, manage comments, search patterns, and interact with the IDA database through natural language.
Anthropic Cybersecurity Skills
★ 6.6k754 structured cybersecurity skills for AI agents · Mapped to 5 frameworks: MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, D3FEND & NIST AI RMF · agentskills.io standard · Works with Claude Code, GitHub Copilot, Codex CLI, Cursor, Gemini CLI & 20+ platform
Hooker
★ 5.1k🔥🔥 hooker is a Frida-based reverse engineering toolkit for Android. It offers a user-friendly CLI, universal scripts, auto hook generation, memory roaming to detect activities/services, one-click SOCKS5 proxy setup, Frida JustTrustMe, and BoringSSL u
Browse More Security MCP Servers
Explore all security servers available in the MCPgee directory. Each server includes setup guides for Claude, Cursor, and VS Code.
Set Up Permit Zero in Your Editor
Choose your AI client for step-by-step setup instructions.
Quick Config Preview
Add this to your claude_desktop_config.json or .cursor/mcp.json
Ready to use Permit Zero?
Browse our complete directory of 33,000+ MCP servers, read setup guides for your editor, and start building with the Model Context Protocol.