Permit Zero

v1.0.0Securitystable

Stop AI agents from doing things they shouldn't. The action authorization layer — pre-execution, deterministic, policies included. Drop in. Day one.

agent-authorizationagent-securityai-agentsai-governanceai-safety
Share:
214
Stars
0
Downloads
0
Weekly
0/5

What is Permit Zero?

Permit Zero is a Model Context Protocol (MCP) server that allows AI assistants like Claude, Cursor, and VS Code to stop ai agents from doing things they shouldn't. the action authorization layer — pre-execution, deterministic, policies included. drop in. day one.

Stop AI agents from doing things they shouldn't. The action authorization layer — pre-execution, deterministic, policies included. Drop in. Day one.

This server falls under the Security category on MCPgee, the world's largest MCP server directory with 33,000+ servers.

Features

  • Stop AI agents from doing things they shouldn't. The action

Use Cases

Authorize agent actions before execution with policies.
Prevent unauthorized AI operations preemptively.
Implement compliance and audit trails for agents.
permit0-ai

Maintainer

LicenseApache-2.0
Languagerust
Versionv1.0.0
UpdatedMay 21, 2026
Statushealthy
Maintenanceactive

Works with

ClaudeOpenAIwindowsmacoslinux

Installation

Manual Installation

npx permit0

Configuration

Configuration Details

Config File

claude_desktop_config.json

Performance

Response Metrics

Response Time< 200ms
ThroughputMedium

Resource Usage

Memory UsageLow
CPU UsageLow

How to Set Up and Use Permit Zero

Permit0 is a pre-execution action authorization layer for AI agents that intercepts every tool call before it runs and evaluates it against deterministic policies — covering 22 domains and 159 action verbs including email operations, database mutations, payment transfers, and IAM role assignments. Built in Rust with an ed25519-signed audit-chain, it integrates into Claude Code as a PreToolUse hook so no action bypasses the policy engine, and it ships with MCP servers for Gmail and Outlook to enforce email-level controls. Security-conscious teams who need to comply with regulations like the EU AI Act — or who simply cannot afford an AI agent going rogue — deploy Permit0 as the authorization firewall in front of all agent actions.

Prerequisites

  • Rust 1.85+ installed (for building the permit0 binary)
  • Docker with Docker Compose for running the policy engine and MCP servers
  • Claude Code (the PreToolUse hook integration requires it)
  • OAuth credentials for the MCP servers you want to protect (e.g. Gmail, Outlook)
  • Absolute file paths in config — tilde (~) expansion is not supported
1

Clone both repositories

Permit0 is split into the policy engine and the MCP server component. Clone both repositories side by side.

git clone https://github.com/permit0-ai/permit0.git
git clone https://github.com/permit0-ai/permit0-mcp.git
2

Start the policy engine and MCP servers

Build and start each component with Docker Compose. The engine dashboard runs on port 9090, Gmail MCP on 8000, and Outlook MCP on 8001.

cd permit0 && docker compose up -d --build
cd ../permit0-mcp && docker compose up -d --build
3

Extract the permit0 binary from the container

Copy the compiled permit0 binary out of the Docker image to a location on your PATH for use as a Claude Code hook.

docker create --name _p0tmp permit0-engine:latest
docker cp _p0tmp:/usr/local/bin/permit0 ~/.local/bin/permit0
docker rm _p0tmp
chmod +x ~/.local/bin/permit0
4

Create the Permit0 configuration file

Write the YAML configuration file specifying your policy engine URL, routing mode, organisation domain for recipient classification, and fallback behaviour for unknown actions.

mkdir -p ~/.permit0
cat > ~/.permit0/config.yaml << 'EOF'
remote: "http://127.0.0.1:9090"
hitl_routing: "ui-wait"
org_domain: "yourcompany.com"
unknown: "bypass"
EOF
5

Register the hook and MCP servers in Claude Code settings

Add the PreToolUse hook and the Permit0 MCP servers to ~/.claude/settings.json. Use absolute paths — tilde expansion is not supported.

{
  "hooks": {
    "PreToolUse": [{
      "hooks": [{
        "type": "command",
        "command": "/home/user/.local/bin/permit0 hook"
      }]
    }]
  },
  "mcpServers": {
    "permit0-gmail": {
      "type": "http",
      "url": "http://localhost:8000/mcp"
    },
    "permit0-outlook": {
      "type": "http",
      "url": "http://localhost:8001/mcp"
    }
  }
}
6

Enable shadow mode for testing

Before enforcing policies in production, set PERMIT0_SHADOW=1 to log authorization decisions without blocking any actions. Review the dashboard at http://localhost:9090/ui/ to audit what would have been blocked.

export PERMIT0_SHADOW=1

Permit Zero Examples

Client configuration

Claude Code settings.json showing Permit0 as a PreToolUse hook with Gmail and Outlook MCP servers.

{
  "hooks": {
    "PreToolUse": [{
      "hooks": [{
        "type": "command",
        "command": "/home/user/.local/bin/permit0 hook"
      }]
    }]
  },
  "mcpServers": {
    "permit0-gmail": {
      "type": "http",
      "url": "http://localhost:8000/mcp"
    },
    "permit0-outlook": {
      "type": "http",
      "url": "http://localhost:8001/mcp"
    }
  }
}

Prompts to try

Example prompts showing how Permit0 mediates AI agent actions in Claude Code.

- "Send an email to [email protected] with the quarterly report."
- "Delete all emails older than 30 days from my inbox."
- "What actions has the AI agent taken today that were blocked by policy?"
- "Show me the audit trail for the last hour of agent activity."
- "Grant read access to the S3 bucket for the new team member."

Troubleshooting Permit Zero

The permit0 hook blocks all tool calls even legitimate ones

Start with PERMIT0_SHADOW=1 to audit without blocking. Then review the dashboard at http://localhost:9090/ui/ and tune your policies to allow the expected actions before removing shadow mode.

Docker Compose fails to start the policy engine

Ensure Docker Desktop (or the Docker daemon) is running and that ports 9090, 8000, and 8001 are not already in use by other processes. Check 'docker compose logs' in the permit0 directory for specific error messages.

Claude Code cannot find the permit0 binary referenced in the hook command

Use the full absolute path to the binary (e.g. /home/user/.local/bin/permit0) in settings.json. Tilde (~) expansion is not supported in the hook command field. Verify the path with 'which permit0' or 'ls -la ~/.local/bin/permit0'.

Frequently Asked Questions about Permit Zero

What is Permit Zero?

Permit Zero is a Model Context Protocol (MCP) server that stop ai agents from doing things they shouldn't. the action authorization layer — pre-execution, deterministic, policies included. drop in. day one. It connects AI assistants to external tools and data sources through a standardized interface.

How do I install Permit Zero?

Follow the installation instructions on the Permit Zero GitHub repository. Clone the repo, install dependencies, and add the server config to your AI client.

Which AI clients work with Permit Zero?

Permit Zero works with all major MCP-compatible AI clients including Claude Desktop, Claude Code, Cursor, VS Code (GitHub Copilot), Windsurf, and Cline.

Is Permit Zero free to use?

Yes, Permit Zero is open source and available under the Apache-2.0 license. You can use it freely in both personal and commercial projects.

Permit Zero Alternatives — Similar Security Servers

Looking for alternatives to Permit Zero? Here are other popular security servers you can use with Claude, Cursor, and VS Code.

Casdoor

13.6k

An open-source Agent-first Identity and Access Management (IAM) /LLM MCP & agent gateway and auth server with web UI supporting OpenClaw, MCP, OAuth, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA, Face ID, Google Workspace, Azure AD

ghidraMCP

9.0k

An Model Context Protocol server that enables LLMs to autonomously reverse engineer applications by exposing Ghidra's decompilation and analysis tools. It allows AI agents to list code structures, rename methods, and analyze binaries directly through

HexStrike AI

8.9k

HexStrike AI MCP Agents is an advanced MCP server that lets AI agents (Claude, GPT, Copilot, etc.) autonomously run 150+ cybersecurity tools for automated pentesting, vulnerability discovery, bug bounty automation, and security research. Seamlessly b

IDA Pro MCP

8.7k

Enables AI-assisted reverse engineering in IDA Pro by providing tools to analyze binaries, decompile functions, manage comments, search patterns, and interact with the IDA database through natural language.

Anthropic Cybersecurity Skills

6.6k

754 structured cybersecurity skills for AI agents · Mapped to 5 frameworks: MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, D3FEND & NIST AI RMF · agentskills.io standard · Works with Claude Code, GitHub Copilot, Codex CLI, Cursor, Gemini CLI & 20+ platform

Hooker

5.1k

🔥🔥 hooker is a Frida-based reverse engineering toolkit for Android. It offers a user-friendly CLI, universal scripts, auto hook generation, memory roaming to detect activities/services, one-click SOCKS5 proxy setup, Frida JustTrustMe, and BoringSSL u

Browse More Security MCP Servers

Explore all security servers available in the MCPgee directory. Each server includes setup guides for Claude, Cursor, and VS Code.

Quick Config Preview

{ "mcpServers": { "permit0": { "command": "npx", "args": ["-y", "permit0"] } } }

Add this to your claude_desktop_config.json or .cursor/mcp.json

Read the full setup guide →

Ready to use Permit Zero?

Browse our complete directory of 33,000+ MCP servers, read setup guides for your editor, and start building with the Model Context Protocol.

33,000+ ServersFree & Open SourceStep-by-Step Guides