– INTERNAL MEMO · NO. 03 –
W I C K E T
::  wicket.sh  ·  runtime authorization  ::
VOL. III · NO. 03 · ENG + SEC EDITION · · ONE PAGE
FOR REVIEW CC.03 / 1 OF 1
TO
FROM
DATE
RE
By the Wicket Engineering Desk  ·  4 min read  ·  Filed under Runtime Authorization

AI agents now reach the systems your team uses to ship, support, and operate the business through MCP.

The risk is not that they can read more context. It is that a suggested tool call can edit code, post to the wrong channel, mutate tickets, or touch customer data without a durable control.

Wicket is that durable control. Every tool call routes through the proxy and gets an allow-or-deny decision before it reaches your upstream MCP.

“A prompt instruction is not an authorization layer. Policy belongs in the path.

— field note, post-incident
the prompt is not
a permission system!
DEPLOY
Hosted proxy
TRANSPORT
HTTP
LATENCY
< 10 ms target
1

incident

DOCKET INC-2026-0416-03 SEV 1 FILED 03:04 UTC · APR 16, 2026
FieldDetail
SummaryMaintenance agent issued a broad delete_records call against prod.customer_records at 03:04 UTC
ImpactProduction data deletion attempted outside release window
Root causeAuthorization enforced only by prompt instruction. No runtime policy in the request path.
DetectionTriggered Alex (on-call) via downstream alert at 03:07 UTC · 3 min after
FixAdd an authorization layer in the request path. see § 02 ↓
Stop the Next 3am Call
2

request path

Wicket sits in the request path. Every MCP call crosses a policy check before the upstream MCP sees it.

CLIENT AI Agent
MCP call
EDGE Wicket Proxy
evaluate
DECISION Policy Check < 10ms · per-call
ALLOW
FORWARD Upstream MCP
DENY
BLOCK Audit + Reject
Every MCP call passes through the proxy. The policy decides allow or deny before the upstream sees it.
›_ release-window.policy 1 RULE 
forbid(
  principal,
  action in [ServiceMCP::Action::"delete_records",
             ServiceMCP::Action::"drop_table"],
  resource
)
when {
  context.time.hour < 9 || context.time.hour > 17
};

↑ deny destructive ops outside 9–5. one rule. that's it.

3

outcome

Same agent, same call as § 01 — this time denied at the proxy and recorded. Every decision leaves a record answering who, what, when, and why.

AUDIT AUDIT-03F4A91 DENIED DECIDED IN 4 MS · EFFECT: FORBID
FieldDetail
Whoalex@company.com via maintenance-agent · 203.0.113.42 · Ashburn, VA
Whatdatabase.delete_records on prod.customer_records
When03:04:18 UTC · Apr 16, 2026 · session mcp_sess_7k91
WhyMatched: release-window block · context.time.hour = 3 (allowed: 9–17)
↳ ACTION LEDGER · same minute, same member
act_7k90
database.list_records
✓ ALLOW
AUDIT-03F4A90
act_7k91
database.delete_records
✗ DENY
AUDIT-03F4A91
act_7k92
database.describe_table
✓ ALLOW
AUDIT-03F4A92
4

trust

The proxy sees enough to make a policy decision and write an audit record. It does not see the contents of your tool calls or their responses.

Logged

What gets recorded

  • Principal — which member is making the call
  • Action — which tool, on which resource
  • Context — time, source IP, session
  • Decision — allow or deny, matched rule, latency
Never stored

What passes through and is gone

  • Tool arguments — forwarded to upstream, never logged
  • Tool responses — returned to the agent, never persisted
  • Decrypted credentials — used in flight only, never written in plaintext
  • Cross-tenant data — strict per-customer isolation, no shared store

Audit logs are yours alone — not pooled, not used for training. Each member brings their own keys; no shared service tokens. Revoke any individual without disrupting the team.