Options, Not Clicks: Lattice Refinement for Consent-Driven MCP Authorization
Authors: Ying Li, Yanju Chen, Peiran Wang et al.
Summary
The authors present Conleash, a client-side authorization middleware for Model Context Protocol (MCP) tools that moves beyond coarse "always allow" toggles. Conleash uses a risk lattice to auto-permit safe calls within known boundaries while escalating risky ones, a policy engine for user-defined invariants, and a refinement loop that converts user decisions into reusable rules. Evaluated on 984 real-world traces, it achieved 98.2% accuracy, caught 99.4% of escalations, added only 8.2ms overhead, and was preferred by 16 user-study participants over traditional methods.
Main takeaways:
- Existing MCP authorization (broad toggles or opaque LLM decisions) causes consent fatigue and misses dangerous call arguments.
- Conleash's risk lattice auto-permits safe calls (e.g., reading a known file) while surfacing risky ones (e.g., writing to unexpected locations) for user review.
- A refinement loop converts one-time user decisions into reusable policies, reducing future prompts without sacrificing safety.
- Real-world evaluation shows high accuracy (98.2%), low false-negative rate (99.4% escalation recall), and minimal latency overhead (8.2ms).
- User study (N=16) found Conleash significantly increased trust and reduced prompting compared to traditional methods.
Relevance
Not directly related to my persona/midtraining work. This is about runtime authorization for tool-calling agents, not about how behaviors are installed during training. Only tangentially relevant if I ever explore how persona-installed behaviors interact with tool-use permissions or if persona markers could be used to gate tool access.
Abstract
arXiv:2605.11360v1 Announce Type: new Abstract: As Model Context Protocol adoption grows, securing tool invocations via meaningful user consent has become a critical challenge, as existing methods, broad always allow toggles or opaque LLM-based decisions, fail to account for dangerous call arguments and often lead to consent fatigue. In this work, we present Conleash, a client-side middleware that enforces boundary-scoped authorization by utilizing a risk lattice to auto-permit safe calls within known boundaries while escalating risks, a policy engine for user-defined invariants, and a refinement loop that converts user decisions into reusable rules. Evaluated on 984 real-world traces, Conleash achieved 98.2% accuracy, caught 99.4% of escalations, and added only 8.2 ms of overhead for policy verification; furthermore, in a user study where N=16, participants significantly preferred Conleash scoped permissions over traditional methods, citing higher trust and reduced prompting.