Which integrations are available for this server?

Optional integration for server-side natural language processing to transform natural language security requirements into Cerbos YAML policies using OpenAI GPT models.

How do I use GlassTape Policy Builder?

1. Click on "Install Server". 2. Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state. 3. In the chat, type @ followed by the MCP server name and your instructions, e.g., "@GlassTape Policy Builder create a policy for customer data access with role-based controls and audit logging" That's it! The server will respond to your query, and you can continue using it as needed. Here is a step-by-step guide with screenshots.

🧩 GlassTape Policy Builder MCP Server

License MCP Python

Transform natural language into production-ready AI governance policies.

GlassTape Policy Builder is an open-source MCP server that converts natural-language security requirements into Cerbos YAML policies with automated validation, testing, and red-teaming.
It enables security and engineering teams to integrate AI agents and applications with policy-as-code frameworks—bringing zero-trust guardrails to tool-call interception, data access, and model workflows.

🚀 Features

⚙️ Natural-Language to Policy – Generate Cerbos policies from plain English using Claude or AWS Q
🧠 Automated Validation – Uses the Cerbos CLI (cerbos compile, cerbos test) for syntax and logic checks
🧪 Red-Team Analysis – 6-point security analysis with automatic improvement suggestions
🧩 MCP Integration – Works natively in IDEs like Cursor, Zed, and Claude Desktop
🔒 Air-Gapped Operation – Local-first design with no external dependencies
🏷️ Topic-Based Governance – 40+ content topics with safety categorization
🧾 Compliance Templates – Built-in templates for SOX, HIPAA, PCI-DSS, and EU AI Act

🚀 Quick Start

1. Prerequisites

Install Cerbos CLI (required for policy validation):

# macOS
brew install cerbos/tap/cerbos

# Linux
curl -L https://github.com/cerbos/cerbos/releases/latest/download/cerbos_Linux_x86_64 \
  -o /usr/local/bin/cerbos && chmod +x /usr/local/bin/cerbos

# Verify installation
cerbos --version

2. Install from Source

# Clone the repository
git clone https://github.com/glasstape/glasstape-policy-builder-mcp.git
cd glasstape-policy-builder-mcp/agent-policy-builder-mcp

# Basic installation
pip install -e .

# With optional LLM support (for server-side natural language parsing)
pip install -e ".[anthropic]"  # Anthropic Claude
pip install -e ".[openai]"     # OpenAI GPT
pip install -e ".[llm]"        # All LLM providers

# Development installation
pip install -e ".[dev]"

3. Configure Your MCP Client

Claude Desktop (~/Library/Application Support/Claude/claude_desktop_config.json):

{
  "mcpServers": {
    "glasstape-policy-builder": {
      "command": "glasstape-policy-builder-mcp"
    }
  }
}

Cursor/Zed: Add similar configuration in your IDE's MCP settings.

Optional: Server-side LLM (for natural language processing):

{
  "mcpServers": {
    "glasstape-policy-builder": {
      "command": "glasstape-policy-builder-mcp",
      "env": {
        "LLM_PROVIDER": "anthropic",
        "ANTHROPIC_API_KEY": "sk-ant-your-key"
      }
    }
  }
}

4. Usage Examples

Generate a Policy (in Claude Desktop or MCP-enabled IDE):

Create a payment policy for AI agents:
- Allow payments up to $50
- Block sanctioned entities
- Limit to 5 transactions per 5 minutes

List Available Templates:

list_templates

Validate a Policy:

validate_policy with policy_yaml: "<your-cerbos-yaml>"

5. Troubleshooting

Cerbos CLI not found:

Ensure Cerbos CLI is installed and in your PATH
Run cerbos --version to verify installation (note: --version not version)

MCP server not connecting:

Check your MCP client configuration
Restart your IDE after configuration changes
Verify the command path is correct: which glasstape-policy-builder-mcp

Installation fails with "Unable to determine which files to ship":

This is a known hatch build issue - ensure you're in the correct directory
The pyproject.toml should include [tool.hatch.build.targets.wheel] configuration

Import errors with MCP:

Ensure you have the correct MCP imports: from mcp.server import Server
Try reinstalling: pip install -e . --force-reinstall

Policy validation fails:

Check YAML syntax in generated policy
Ensure Cerbos CLI is working: cerbos compile --help
Review error messages for specific issues

Command not found after installation:

Ensure you have Python 3.10 or higher
Check that the entry point is correctly configured in pyproject.toml

🦭 Available Tools

When connected via MCP, you can use these tools in Claude or your IDE:

Tool	What it does
`generate_policy`	Transform natural language → validated Cerbos YAML with topic governance
`validate_policy`	Check policy syntax with `cerbos compile`
`test_policy`	Run test suites against policies with `cerbos compile`
`suggest_improvements`	6-point security analysis with automatic improvement suggestions
`list_templates`	Browse built-in templates (finance, healthcare, AI safety)

Example workflow:

1. "Generate a payment policy for AI agents with $50 limit..."
   → Claude calls generate_policy
   
2. "Show me available financial templates"
   → Claude calls list_templates
   
3. "Test this policy with the test suite"
   → Claude calls test_policy
   
4. "Analyze this policy for security issues"
   → Claude calls suggest_improvements
   
5. "Validate the policy syntax"
   → Claude calls validate_policy

🧪 Example Output

Input:

"Allow AI agents to execute payments up to $50. Block sanctioned entities. 
Limit cumulative hourly amount to $50. Maximum 5 transactions per 5 minutes."

Generated Policy with Topic Governance:

# policies/payment_policy.yaml
apiVersion: api.cerbos.dev/v1
resourcePolicy:
  version: "1.0.0"
  resource: "payment"
  rules:
    - actions: ["execute"]
      effect: EFFECT_ALLOW
      condition:
        match:
          expr: >
            request.resource.attr.amount > 0 &&
            request.resource.attr.amount <= 50 &&
            !(request.resource.attr.recipient in request.resource.attr.sanctioned_entities) &&
            (request.resource.attr.cumulative_amount_last_hour + request.resource.attr.amount) <= 50 &&
            request.resource.attr.agent_txn_count_5m < 5 &&
            has(request.resource.attr.topics) &&
            "payment" in request.resource.attr.topics &&
            !("adult" in request.resource.attr.topics)
    - actions: ["*"]
      effect: EFFECT_DENY

Plus:

✅ Topic-based governance (payment, pii detection)
✅ Safety categorization (G/PG/PG_13/R/adult_content)
✅ 15+ automated test cases
✅ Validated by cerbos compile
✅ 6-point security analysis
✅ Ready-to-deploy bundle

📋 Complete Examples

Category	Example	Description
Finance	payment_policy.md	Payment execution with limits
Healthcare	phi_access_policy.md	HIPAA-compliant PHI access
AI Safety	ai_model_invocation_policy.md	Model invocation with guardrails
Data Access	pii_export_policy.md	GDPR-compliant PII export control
System	admin_access_policy.md	Admin access with MFA

See examples/README.md for complete examples.

🧱 Architecture

flowchart TD
  A["Natural-language policy request"] --> B["GlassTape MCP Server"]
  B --> C["Intermediate Canonical Policy - JSON"]
  C --> D["Cerbos YAML policy generation"]
  D --> E["Cerbos CLI validation + testing"]
  E --> F["Ready-to-deploy policy bundle"]

Key Innovation: ICP (Intermediate Canonical Policy) serves as a language-agnostic intermediate representation, enabling deterministic generation, policy portability, and formal verification.

🧪 Development

# Clone and setup
git clone https://github.com/glasstape/glasstape-policy-builder-mcp.git
cd glasstape-policy-builder-mcp
pip install -e ".[dev]"

# Run tests
pytest

# Format code
black src/ tests/

🤝 Contributing

We welcome contributions! See CONTRIBUTING.md for guidelines.

Quick Links:

💪 License

💡 Links

Built with ❤️ by — Making AI agents secure by default.

GlassTape Policy Builder