# Derek Mossman, Staff Engineer (AI Infrastructure) at LexiCore Systems — read of mcp-tool-call-gating-proxy, June 18 2026

> 11 years in backend/platform work, the last 18 months deep in agent infrastructure. Currently running 6 internal MCP-connected agents across a 580-person legaltech company. Coaches my son's U10 soccer team on Saturdays and probably think about agentic safety more than is healthy.

---

## How I got here

Two weeks ago one of our document-summary agents called a `delete_contract_version` tool it absolutely should not have touched. The tool call succeeded. We caught it in staging but it rattled me. I went looking for "MCP tool call approval workflow" and "MCP agent policy enforcement" on Google. This page was on the second page of results. I clicked because the title was specific enough to not be a Medium article.

## What I clicked first

The hero line: **"Harden AI Agent Tool Access Without Slowing Them Down"** -- that's the exact tension I'm living. Every option I've looked at requires either a heavy approval queue that kills the agent's usefulness, or just... vibes-based trust. So that line stopped my scan.

Then the spec table. "Ask Mode for Uncertainty" grabbed me: the idea that a risky call can pause, ping me on Slack, and I approve or deny before the agent continues. That is the exact workflow I sketched in my notebook after the staging incident. Seeing it described here made me sit up.

## Where I paused

The phrase **"you approve or deny in under a second."** I stopped and read it twice. That's a very specific claim. Sub-second human approval implies either a trivially simple UI (one tap in Slack) or they've never watched a real human context-switch during an agent run. I've been in that situation. It takes me 8 seconds minimum to understand what I'm being asked before I hit approve. "Under a second" either means they've nailed a frictionless approval UX -- which would be impressive and I'd want to see it -- or someone wrote that without thinking it through. I genuinely don't know which.

## What I distrusted

Two things, and they're related.

First: the scoring block halfway down the page. **"$-9,904 Year-1 take-home (Fermi)"** and **"1 in 8 Meaningful-success odds."** I had to read that section three times before I understood I wasn't looking at risk metrics for deploying the product. These are Fermi estimates for someone who wants to *build and sell* this product as a business. That is a completely different reader than me. I came here looking for a tool to buy and use. The page didn't signal that switch at all. I felt disoriented.

Second: **"Honest disclosure: we don't have live customers on this idea yet."** Fine, I respect transparency. But by the time I hit that line I had already processed the pricing and realized the $5 tier unlocks "ICP, MVP scope, first 7 build tasks, 30/60/90 launch plan." That's a business-building kit, not a SaaS subscription. So what am I actually here to buy? A tool that runs between my agents and my MCP servers, or a packet for me to go build that tool myself? The page never answers this cleanly.

## What would convince me

If this is a live proxy I can point my agents at: show me a 10-line config example. Show me what a YAML rule actually looks like for a specific tool name match with argument inspection. Show me the Slack message my agent sends when it hits "ask mode" -- a real screenshot, not a mockup. A 3-minute Loom of someone setting up a policy on a test agent would close me faster than anything else on this page.

If this is an idea-kit I buy to go build myself: say that loudly at the top of the page, because right now I spent 6 minutes confused about which one it is.

## What I'd ask in an email reply

1. Is there a running instance of this proxy I can test against my own MCP server today, or is the current product a strategy package for building one?
2. The "Ask Mode" description says I approve or deny and "agent resumes with your decision" -- does the agent's call actually block and hold state while waiting, or does it get a denial and retry? Because those are two very different behaviors for agent reliability.
3. The YAML policies "compose; later rules override earlier ones" -- how do you handle conflicts between a team-lead-written base policy and an agent-specific override? Is there a merge strategy or is it last-write-wins?

## Verdict: on-the-fence

The core idea is right and the hero communicates it well enough that I kept reading. But I still don't know if I can actually buy and run this product today, and the page spent more energy talking to a potential founder than to me. Fix that one thing and I'd reply.

---
*Memo by skeptic persona, generated 2026-06-18. Studio breaks own self-grading loop.*
