EPS
← All batches·2605.11360

Options, Not Clicks: Lattice Refinement for Consent-Driven MCP Authorization

topic: general_safetytop score: 100released: 2026-05-13first surfaced: 2026-05-13arXivPDFlinked_to_results2026-05-13

Authors: Ying Li, Yanju Chen, Peiran Wang et al.

arXiv · PDF

Summary

The authors present Conleash, a client-side authorization middleware for Model Context Protocol (MCP) tools that moves beyond coarse "always allow" toggles. Conleash uses a risk lattice to auto-permit safe calls within known boundaries while escalating risky ones, a policy engine for user-defined invariants, and a refinement loop that converts user decisions into reusable rules. Evaluated on 984 real-world traces, it achieved 98.2% accuracy, caught 99.4% of escalations, added only 8.2ms overhead, and was preferred by 16 user-study participants over traditional methods.

Main takeaways:

  • Existing MCP authorization (broad toggles or opaque LLM decisions) causes consent fatigue and misses dangerous call arguments.
  • Conleash's risk lattice auto-permits safe calls (e.g., reading a known file) while surfacing risky ones (e.g., writing to unexpected locations) for user review.
  • A refinement loop converts one-time user decisions into reusable policies, reducing future prompts without sacrificing safety.
  • Real-world evaluation shows high accuracy (98.2%), low false-negative rate (99.4% escalation recall), and minimal latency overhead (8.2ms).
  • User study (N=16) found Conleash significantly increased trust and reduced prompting compared to traditional methods.

Relevance

Not directly related to my persona/midtraining work. This is about runtime authorization for tool-calling agents, not about how behaviors are installed during training. Only tangentially relevant if I ever explore how persona-installed behaviors interact with tool-use permissions or if persona markers could be used to gate tool access.

Abstract

arXiv:2605.11360v1 Announce Type: new Abstract: As Model Context Protocol adoption grows, securing tool invocations via meaningful user consent has become a critical challenge, as existing methods, broad always allow toggles or opaque LLM-based decisions, fail to account for dangerous call arguments and often lead to consent fatigue. In this work, we present Conleash, a client-side middleware that enforces boundary-scoped authorization by utilizing a risk lattice to auto-permit safe calls within known boundaries while escalating risks, a policy engine for user-defined invariants, and a refinement loop that converts user decisions into reusable rules. Evaluated on 984 real-world traces, Conleash achieved 98.2% accuracy, caught 99.4% of escalations, and added only 8.2 ms of overhead for policy verification; furthermore, in a user study where N=16, participants significantly preferred Conleash scoped permissions over traditional methods, citing higher trust and reduced prompting.