Scenario
A release gate orchestrator uses an internal CI/CD MCP server. Unknown tools should require approval. Known risky tools should be blocked in production.Step 1 — Enable approval guardrail in dashboard
In the Apie dashboard, enablerequire_approval_unknown_mcp_tools (or your workspace equivalent) for the agent.
Step 2 — Configure Enforce mode
apie.mcp.json
| Field | Why |
|---|---|
mode: "enforce" | Enforce blocks and approvals |
approvalTimeoutMs: 600000 | 10-minute approval window |
environment: "production" | Tags events for production policies |
Step 3 — Point MCP host at proxy
Step 4 — Trigger an unknown tool
Call an MCP tool your agent hasn’t used before. In Enforce mode:- Proxy evaluates the guardrail
- Decision is
require_approval - Approval request appears in the dashboard
- Agent waits until you approve or reject
What you’ll see
- Approved: Tool call proceeds, telemetry events in dashboard
- Rejected: MCP host receives JSON-RPC error
-32002 - Blocked: MCP host receives JSON-RPC error
-32001
Validate setup
Error codes
| Code | Meaning |
|---|---|
-32001 | Guardrail blocked the tool call |
-32002 | Approval denied or timed out |
Next steps
MCP proxy
Full proxy setup guide.
Human approval
Approval flow details.
