feat: add write-sink guard policy to all non-GitHub MCP servers configured by gateway

Copilot · lpcox · Copilot · commit 7f805c04fbcb · 2026-03-15T00:55:04.000Z
Extend the write-sink guard policy (currently applied only to safe-outputs) to ALL
non-GitHub MCP servers exposed by the MCP gateway. The policy is derived from the
same GitHub guard-policy parameters (repos/min-integrity), ensuring that as guard
policies are rolled out, only GitHub inputs will be filtered while outputs to
non-GitHub servers are not restricted.

Servers updated: playwright, serena, mcp-scripts, agentic-workflows, web-fetch,
and all custom user-defined MCP tools.

Both JSON format (for gateway/Claude/Copilot/Gemini) and TOML format (for Codex)
are updated with guard policy rendering.

Also adds a deriveWriteSinkGuardPolicyFromWorkflow helper and a comprehensive test
file covering the new behavior.

Co-authored-by: lpcox &lt;15877973+lpcox@users.noreply.github.com&gt;
diff --git a/pkg/workflow/claude_mcp.go b/pkg/workflow/claude_mcp.go
@@ -16,11 +16,12 @@ func (e *ClaudeEngine) RenderMCPConfig(yaml *strings.Builder, tools map[string]a
 	// Claude uses JSON format without Copilot-specific fields and multi-line args
 	createRenderer := func(isLast bool) *MCPConfigRendererUnified {
 		return NewMCPConfigRenderer(MCPRendererOptions{
-			IncludeCopilotFields: false, // Claude doesn't use "type" and "tools" fields
-			InlineArgs:           false, // Claude uses multi-line args format
-			Format:               "json",
-			IsLast:               isLast,
-			ActionMode:           GetActionModeFromWorkflowData(workflowData),
+			IncludeCopilotFields:   false, // Claude doesn't use "type" and "tools" fields
+			InlineArgs:             false, // Claude uses multi-line args format
+			Format:                 "json",
+			IsLast:                 isLast,
+			ActionMode:             GetActionModeFromWorkflowData(workflowData),
+			WriteSinkGuardPolicies: deriveWriteSinkGuardPolicyFromWorkflow(workflowData),
 		})
 	}
 
@@ -59,7 +60,7 @@ func (e *ClaudeEngine) RenderMCPConfig(yaml *strings.Builder, tools map[string]a
 				renderer.RenderMCPScriptsMCP(yaml, mcpScripts, workflowData)
 			},
 			RenderWebFetch: func(yaml *strings.Builder, isLast bool) {
-				renderMCPFetchServerConfig(yaml, "json", "              ", isLast, false)
+				renderMCPFetchServerConfig(yaml, "json", "              ", isLast, false, deriveWriteSinkGuardPolicyFromWorkflow(workflowData))
 			},
 			RenderCustomMCPConfig: func(yaml *strings.Builder, toolName string, toolConfig map[string]any, isLast bool) error {
 				return e.renderClaudeMCPConfigWithContext(yaml, toolName, toolConfig, isLast, workflowData)
diff --git a/pkg/workflow/codex_mcp.go b/pkg/workflow/codex_mcp.go
@@ -19,11 +19,12 @@ func (e *CodexEngine) RenderMCPConfig(yaml *strings.Builder, tools map[string]an
 	// Codex uses TOML format without Copilot-specific fields and multi-line args
 	createRenderer := func(isLast bool) *MCPConfigRendererUnified {
 		return NewMCPConfigRenderer(MCPRendererOptions{
-			IncludeCopilotFields: false, // Codex doesn't use "type" and "tools" fields
-			InlineArgs:           false, // Codex uses multi-line args format
-			Format:               "toml",
-			IsLast:               isLast,
-			ActionMode:           GetActionModeFromWorkflowData(workflowData),
+			IncludeCopilotFields:   false, // Codex doesn't use "type" and "tools" fields
+			InlineArgs:             false, // Codex uses multi-line args format
+			Format:                 "toml",
+			IsLast:                 isLast,
+			ActionMode:             GetActionModeFromWorkflowData(workflowData),
+			WriteSinkGuardPolicies: deriveWriteSinkGuardPolicyFromWorkflow(workflowData),
 		})
 	}
 
@@ -69,7 +70,7 @@ func (e *CodexEngine) RenderMCPConfig(yaml *strings.Builder, tools map[string]an
 				renderer.RenderMCPScriptsMCP(yaml, workflowData.MCPScripts, workflowData)
 			}
 		case "web-fetch":
-			renderMCPFetchServerConfig(yaml, "toml", "          ", false, false)
+			renderMCPFetchServerConfig(yaml, "toml", "          ", false, false, deriveWriteSinkGuardPolicyFromWorkflow(workflowData))
 		default:
 			// Handle custom MCP tools using shared helper (with adapter for isLast parameter)
 			HandleCustomMCPToolInSwitch(yaml, toolName, expandedTools, false, func(yaml *strings.Builder, toolName string, toolConfig map[string]any, isLast bool) error {
@@ -112,11 +113,12 @@ func (e *CodexEngine) RenderMCPConfig(yaml *strings.Builder, tools map[string]an
 			actionMode = workflowData.ActionMode
 		}
 		return NewMCPConfigRenderer(MCPRendererOptions{
-			IncludeCopilotFields: false, // Gateway doesn't need Copilot fields
-			InlineArgs:           false, // Use standard multi-line format
-			Format:               "json",
-			IsLast:               isLast,
-			ActionMode:           actionMode,
+			IncludeCopilotFields:   false, // Gateway doesn't need Copilot fields
+			InlineArgs:             false, // Use standard multi-line format
+			Format:                 "json",
+			IsLast:                 isLast,
+			ActionMode:             actionMode,
+			WriteSinkGuardPolicies: deriveWriteSinkGuardPolicyFromWorkflow(workflowData),
 		})
 	}
 
@@ -152,7 +154,7 @@ func (e *CodexEngine) RenderMCPConfig(yaml *strings.Builder, tools map[string]an
 				renderer.RenderMCPScriptsMCP(yaml, mcpScripts, workflowData)
 			},
 			RenderWebFetch: func(yaml *strings.Builder, isLast bool) {
-				renderMCPFetchServerConfig(yaml, "json", "              ", isLast, false)
+				renderMCPFetchServerConfig(yaml, "json", "              ", isLast, false, deriveWriteSinkGuardPolicyFromWorkflow(workflowData))
 			},
 			RenderCustomMCPConfig: func(yaml *strings.Builder, toolName string, toolConfig map[string]any, isLast bool) error {
 				return e.renderCodexJSONMCPConfigWithContext(yaml, toolName, toolConfig, isLast, workflowData)
@@ -177,6 +179,7 @@ func (e *CodexEngine) renderCodexMCPConfigWithContext(yaml *strings.Builder, too
 		IndentLevel:              "          ",
 		Format:                   "toml",
 		RewriteLocalhostToDocker: rewriteLocalhost,
+		GuardPolicies:            deriveWriteSinkGuardPolicyFromWorkflow(workflowData),
 	}
 
 	err := renderSharedMCPConfig(yaml, toolName, toolConfig, renderer)
@@ -200,6 +203,7 @@ func (e *CodexEngine) renderCodexJSONMCPConfigWithContext(yaml *strings.Builder,
 		Format:                   "json",
 		IndentLevel:              "              ",
 		RewriteLocalhostToDocker: rewriteLocalhost,
+		GuardPolicies:            deriveWriteSinkGuardPolicyFromWorkflow(workflowData),
 	}
 
 	yaml.WriteString("              \"" + toolName + "\": {\n")
diff --git a/pkg/workflow/copilot_mcp.go b/pkg/workflow/copilot_mcp.go
@@ -19,11 +19,12 @@ func (e *CopilotEngine) RenderMCPConfig(yaml *strings.Builder, tools map[string]
 	// Copilot uses JSON format with type and tools fields, and inline args
 	createRenderer := func(isLast bool) *MCPConfigRendererUnified {
 		return NewMCPConfigRenderer(MCPRendererOptions{
-			IncludeCopilotFields: true, // Copilot uses "type" and "tools" fields
-			InlineArgs:           true, // Copilot uses inline args format
-			Format:               "json",
-			IsLast:               isLast,
-			ActionMode:           GetActionModeFromWorkflowData(workflowData),
+			IncludeCopilotFields:   true, // Copilot uses "type" and "tools" fields
+			InlineArgs:             true, // Copilot uses inline args format
+			Format:                 "json",
+			IsLast:                 isLast,
+			ActionMode:             GetActionModeFromWorkflowData(workflowData),
+			WriteSinkGuardPolicies: deriveWriteSinkGuardPolicyFromWorkflow(workflowData),
 		})
 	}
 
@@ -64,7 +65,7 @@ func (e *CopilotEngine) RenderMCPConfig(yaml *strings.Builder, tools map[string]
 				renderer.RenderMCPScriptsMCP(yaml, mcpScripts, workflowData)
 			},
 			RenderWebFetch: func(yaml *strings.Builder, isLast bool) {
-				renderMCPFetchServerConfig(yaml, "json", "              ", isLast, true)
+				renderMCPFetchServerConfig(yaml, "json", "              ", isLast, true, deriveWriteSinkGuardPolicyFromWorkflow(workflowData))
 			},
 			RenderCustomMCPConfig: func(yaml *strings.Builder, toolName string, toolConfig map[string]any, isLast bool) error {
 				return e.renderCopilotMCPConfigWithContext(yaml, toolName, toolConfig, isLast, workflowData)
@@ -96,6 +97,7 @@ func (e *CopilotEngine) renderCopilotMCPConfigWithContext(yaml *strings.Builder,
 		IndentLevel:              "                ",
 		RequiresCopilotFields:    true,
 		RewriteLocalhostToDocker: rewriteLocalhost,
+		GuardPolicies:            deriveWriteSinkGuardPolicyFromWorkflow(workflowData),
 	}
 
 	yaml.WriteString("              \"" + toolName + "\": {\n")
diff --git a/pkg/workflow/fetch.go b/pkg/workflow/fetch.go
@@ -53,15 +53,21 @@ func AddMCPFetchServerIfNeeded(tools map[string]any, engine CodingAgentEngine) (
 // renderMCPFetchServerConfig renders the MCP fetch server configuration
 // This is a shared function that can be used by all engines
 // includeTools parameter adds "tools": ["*"] field for engines that require it (e.g., Copilot)
-func renderMCPFetchServerConfig(yaml *strings.Builder, format string, indent string, isLast bool, includeTools bool) {
+// guardPolicies parameter adds write-sink guard policies when derived from the GitHub guard-policy
+func renderMCPFetchServerConfig(yaml *strings.Builder, format string, indent string, isLast bool, includeTools bool, guardPolicies map[string]any) {
 	fetchLog.Printf("Rendering MCP fetch server config: format=%s, includeTools=%v", format, includeTools)
 
 	switch format {
 	case "json":
 		// JSON format (for Claude, Copilot, Custom engines)
 		// Use container key per MCP Gateway schema (container-based stdio server)
 		yaml.WriteString(indent + "\"web-fetch\": {\n")
-		yaml.WriteString(indent + "  \"container\": \"mcp/fetch\"\n")
+		if len(guardPolicies) > 0 {
+			yaml.WriteString(indent + "  \"container\": \"mcp/fetch\",\n")
+			renderGuardPoliciesJSON(yaml, guardPolicies, indent+"  ")
+		} else {
+			yaml.WriteString(indent + "  \"container\": \"mcp/fetch\"\n")
+		}
 		if isLast {
 			yaml.WriteString(indent + "}\n")
 		} else {
@@ -73,5 +79,9 @@ func renderMCPFetchServerConfig(yaml *strings.Builder, format string, indent str
 		yaml.WriteString(indent + "\n")
 		yaml.WriteString(indent + "[mcp_servers.\"web-fetch\"]\n")
 		yaml.WriteString(indent + "container = \"mcp/fetch\"\n")
+		// Add guard policies as a separate TOML section if configured
+		if len(guardPolicies) > 0 {
+			renderGuardPoliciesToml(yaml, guardPolicies, "web-fetch")
+		}
 	}
 }
diff --git a/pkg/workflow/fetch_test.go b/pkg/workflow/fetch_test.go
@@ -188,7 +188,7 @@ func TestRenderMCPFetchServerConfig(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			var yaml strings.Builder
-			renderMCPFetchServerConfig(&yaml, tt.format, tt.indent, tt.isLast, tt.includeTools)
+			renderMCPFetchServerConfig(&yaml, tt.format, tt.indent, tt.isLast, tt.includeTools, nil)
 			output := yaml.String()
 
 			for _, substr := range tt.expectSubstr {
diff --git a/pkg/workflow/gemini_mcp.go b/pkg/workflow/gemini_mcp.go
@@ -15,11 +15,12 @@ func (e *GeminiEngine) RenderMCPConfig(yaml *strings.Builder, tools map[string]a
 	// Create unified renderer with Gemini-specific options
 	createRenderer := func(isLast bool) *MCPConfigRendererUnified {
 		return NewMCPConfigRenderer(MCPRendererOptions{
-			IncludeCopilotFields: false,
-			InlineArgs:           false,
-			Format:               "json", // Gemini uses JSON format like Claude/Codex
-			IsLast:               isLast,
-			ActionMode:           GetActionModeFromWorkflowData(workflowData),
+			IncludeCopilotFields:   false,
+			InlineArgs:             false,
+			Format:                 "json", // Gemini uses JSON format like Claude/Codex
+			IsLast:                 isLast,
+			ActionMode:             GetActionModeFromWorkflowData(workflowData),
+			WriteSinkGuardPolicies: deriveWriteSinkGuardPolicyFromWorkflow(workflowData),
 		})
 	}
 
@@ -54,7 +55,7 @@ func (e *GeminiEngine) RenderMCPConfig(yaml *strings.Builder, tools map[string]a
 				renderer.RenderMCPScriptsMCP(yaml, mcpScripts, workflowData)
 			},
 			RenderWebFetch: func(yaml *strings.Builder, isLast bool) {
-				renderMCPFetchServerConfig(yaml, "json", "              ", isLast, false)
+				renderMCPFetchServerConfig(yaml, "json", "              ", isLast, false, deriveWriteSinkGuardPolicyFromWorkflow(workflowData))
 			},
 			RenderCustomMCPConfig: func(yaml *strings.Builder, toolName string, toolConfig map[string]any, isLast bool) error {
 				return renderCustomMCPConfigWrapperWithContext(yaml, toolName, toolConfig, isLast, workflowData)
diff --git a/pkg/workflow/mcp_config_builtin.go b/pkg/workflow/mcp_config_builtin.go
@@ -172,7 +172,7 @@ func renderSafeOutputsMCPConfigWithOptions(yaml *strings.Builder, isLast bool, i
 // renderAgenticWorkflowsMCPConfigWithOptions generates the Agentic Workflows MCP server configuration with engine-specific options
 // Per MCP Gateway Specification v1.0.0 section 3.2.1, stdio-based MCP servers MUST be containerized.
 // Uses MCP Gateway spec format: container, entrypoint, entrypointArgs, and mounts fields.
-func renderAgenticWorkflowsMCPConfigWithOptions(yaml *strings.Builder, isLast bool, includeCopilotFields bool, actionMode ActionMode) {
+func renderAgenticWorkflowsMCPConfigWithOptions(yaml *strings.Builder, isLast bool, includeCopilotFields bool, actionMode ActionMode, guardPolicies map[string]any) {
 	mcpBuiltinLog.Printf("Rendering Agentic Workflows MCP config: isLast=%v, includeCopilotFields=%v, actionMode=%v", isLast, includeCopilotFields, actionMode)
 
 	// Environment variables: map of env var name to value (literal) or source variable (reference)
@@ -288,7 +288,13 @@ func renderAgenticWorkflowsMCPConfigWithOptions(yaml *strings.Builder, isLast bo
 
 		yaml.WriteString("                  \"" + envVar.name + "\": \"" + valueStr + "\"" + comma + "\n")
 	}
-	yaml.WriteString("                }\n")
+	// Close env section - with or without trailing comma depending on whether guard policies follow
+	if len(guardPolicies) > 0 {
+		yaml.WriteString("                },\n")
+		renderGuardPoliciesJSON(yaml, guardPolicies, "                ")
+	} else {
+		yaml.WriteString("                }\n")
+	}
 
 	if isLast {
 		yaml.WriteString("              }\n")
diff --git a/pkg/workflow/mcp_config_comprehensive_test.go b/pkg/workflow/mcp_config_comprehensive_test.go
@@ -653,7 +653,7 @@ func TestRenderSerenaMCPConfigWithOptions(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			var output strings.Builder
 
-			renderSerenaMCPConfigWithOptions(&output, tt.serenaTool, tt.isLast, tt.includeCopilotFields, tt.inlineArgs)
+			renderSerenaMCPConfigWithOptions(&output, tt.serenaTool, tt.isLast, tt.includeCopilotFields, tt.inlineArgs, nil)
 
 			result := output.String()
 
@@ -1153,7 +1153,7 @@ func TestRenderSerenaMCPConfigDockerMode(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			var output strings.Builder
 
-			renderSerenaMCPConfigWithOptions(&output, tt.serenaTool, tt.isLast, tt.includeCopilotFields, tt.inlineArgs)
+			renderSerenaMCPConfigWithOptions(&output, tt.serenaTool, tt.isLast, tt.includeCopilotFields, tt.inlineArgs, nil)
 
 			result := output.String()
 
diff --git a/pkg/workflow/mcp_config_custom.go b/pkg/workflow/mcp_config_custom.go
@@ -31,6 +31,7 @@ func renderCustomMCPConfigWrapperWithContext(yaml *strings.Builder, toolName str
 		IndentLevel:              "                ",
 		Format:                   "json",
 		RewriteLocalhostToDocker: rewriteLocalhost,
+		GuardPolicies:            deriveWriteSinkGuardPolicyFromWorkflow(workflowData),
 	}
 
 	err := renderSharedMCPConfig(yaml, toolName, toolConfig, renderer)
@@ -181,9 +182,14 @@ func renderSharedMCPConfig(yaml *strings.Builder, toolName string, toolConfig ma
 		return nil
 	}
 
+	// When guard policies are present in JSON format, they become the actual last field.
+	// The last existing property must have a trailing comma to allow appending guard policies.
+	hasTrailingGuardPolicies := renderer.Format == "json" && len(renderer.GuardPolicies) > 0
+
 	// Render properties based on format
 	for propIndex, property := range existingProperties {
-		isLast := propIndex == len(existingProperties)-1
+		// In JSON format, if guard policies follow, the last existing property is no longer "last"
+		isLast := (propIndex == len(existingProperties)-1) && !hasTrailingGuardPolicies
 
 		switch property {
 		case "type":
@@ -497,6 +503,15 @@ func renderSharedMCPConfig(yaml *strings.Builder, toolName string, toolConfig ma
 		}
 	}
 
+	// Render guard policies after all properties
+	if hasTrailingGuardPolicies {
+		// JSON format: guard policies are the last field inside the server object
+		renderGuardPoliciesJSON(yaml, renderer.GuardPolicies, renderer.IndentLevel)
+	} else if renderer.Format == "toml" && len(renderer.GuardPolicies) > 0 {
+		// TOML format: guard policies are a separate TOML section after the server config
+		renderGuardPoliciesToml(yaml, renderer.GuardPolicies, toolName)
+	}
+
 	return nil
 }
 
diff --git a/pkg/workflow/mcp_config_playwright_renderer.go b/pkg/workflow/mcp_config_playwright_renderer.go
@@ -68,7 +68,7 @@ var mcpPlaywrightLog = logger.New("workflow:mcp_config_playwright_renderer")
 // renderPlaywrightMCPConfigWithOptions generates the Playwright MCP server configuration with engine-specific options
 // Per MCP Gateway Specification v1.0.0 section 3.2.1, stdio-based MCP servers MUST be containerized.
 // Uses MCP Gateway spec format: container, entrypointArgs, mounts, and args fields.
-func renderPlaywrightMCPConfigWithOptions(yaml *strings.Builder, playwrightConfig *PlaywrightToolConfig, isLast bool, includeCopilotFields bool, inlineArgs bool) {
+func renderPlaywrightMCPConfigWithOptions(yaml *strings.Builder, playwrightConfig *PlaywrightToolConfig, isLast bool, includeCopilotFields bool, inlineArgs bool, guardPolicies map[string]any) {
 	mcpPlaywrightLog.Printf("Rendering Playwright MCP config options: copilot_fields=%t, inline_args=%t", includeCopilotFields, inlineArgs)
 	customArgs := getPlaywrightCustomArgs(playwrightConfig)
 
@@ -155,7 +155,13 @@ func renderPlaywrightMCPConfigWithOptions(yaml *strings.Builder, playwrightConfi
 	}
 
 	// Add volume mounts
-	yaml.WriteString("                \"mounts\": [\"/tmp/gh-aw/mcp-logs:/tmp/gh-aw/mcp-logs:rw\"]\n")
+	// When guard policies follow, mounts is not the last field (add trailing comma)
+	if len(guardPolicies) > 0 {
+		yaml.WriteString("                \"mounts\": [\"/tmp/gh-aw/mcp-logs:/tmp/gh-aw/mcp-logs:rw\"],\n")
+		renderGuardPoliciesJSON(yaml, guardPolicies, "                ")
+	} else {
+		yaml.WriteString("                \"mounts\": [\"/tmp/gh-aw/mcp-logs:/tmp/gh-aw/mcp-logs:rw\"]\n")
+	}
 
 	// Note: tools field is NOT included here - the converter script adds it back
 	// for Copilot. This keeps the gateway config compatible with the schema.
diff --git a/pkg/workflow/mcp_config_refactor_test.go b/pkg/workflow/mcp_config_refactor_test.go
@@ -186,7 +186,7 @@ func TestRenderAgenticWorkflowsMCPConfigWithOptions(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			var output strings.Builder
 
-			renderAgenticWorkflowsMCPConfigWithOptions(&output, tt.isLast, tt.includeCopilotFields, tt.actionMode)
+			renderAgenticWorkflowsMCPConfigWithOptions(&output, tt.isLast, tt.includeCopilotFields, tt.actionMode, nil)
 
 			result := output.String()
 
diff --git a/pkg/workflow/mcp_config_serena_renderer.go b/pkg/workflow/mcp_config_serena_renderer.go
@@ -86,7 +86,7 @@ func selectSerenaContainer(serenaTool any) string {
 
 // renderSerenaMCPConfigWithOptions generates the Serena MCP server configuration with engine-specific options
 // Uses Docker container with stdio transport (ghcr.io/github/serena-mcp-server:latest)
-func renderSerenaMCPConfigWithOptions(yaml *strings.Builder, serenaTool any, isLast bool, includeCopilotFields bool, inlineArgs bool) {
+func renderSerenaMCPConfigWithOptions(yaml *strings.Builder, serenaTool any, isLast bool, includeCopilotFields bool, inlineArgs bool, guardPolicies map[string]any) {
 	customArgs := getSerenaCustomArgs(serenaTool)
 
 	yaml.WriteString("              \"serena\": {\n")
@@ -136,7 +136,13 @@ func renderSerenaMCPConfigWithOptions(yaml *strings.Builder, serenaTool any, isL
 
 	// Add volume mount for workspace access
 	// Security: Use GITHUB_WORKSPACE environment variable instead of template expansion to prevent template injection
-	yaml.WriteString("                \"mounts\": [\"\\${GITHUB_WORKSPACE}:\\${GITHUB_WORKSPACE}:rw\"]\n")
+	// When guard policies follow, mounts is not the last field (add trailing comma)
+	if len(guardPolicies) > 0 {
+		yaml.WriteString("                \"mounts\": [\"\\${GITHUB_WORKSPACE}:\\${GITHUB_WORKSPACE}:rw\"],\n")
+		renderGuardPoliciesJSON(yaml, guardPolicies, "                ")
+	} else {
+		yaml.WriteString("                \"mounts\": [\"\\${GITHUB_WORKSPACE}:\\${GITHUB_WORKSPACE}:rw\"]\n")
+	}
 
 	// Note: tools field is NOT included here - the converter script adds it back
 	// for Copilot. This keeps the gateway config compatible with the schema.
diff --git a/pkg/workflow/mcp_config_types.go b/pkg/workflow/mcp_config_types.go
@@ -47,6 +47,11 @@ type MCPConfigRenderer struct {
 	// RewriteLocalhostToDocker indicates if localhost URLs should be rewritten to host.docker.internal
 	// This is needed when the agent runs inside a firewall container and needs to access MCP servers on the host
 	RewriteLocalhostToDocker bool
+	// GuardPolicies contains the write-sink guard policies to render at the end of the MCP server configuration.
+	// For JSON format, they are added as the last field inside the server object.
+	// For TOML format, they are added as a separate TOML section after the server config.
+	// Nil when no guard policies should be applied.
+	GuardPolicies map[string]any
 }
 
 // ToolConfig represents a tool configuration interface for type safety
diff --git a/pkg/workflow/mcp_github_config.go b/pkg/workflow/mcp_github_config.go
diff --git a/pkg/workflow/mcp_renderer_builtin.go b/pkg/workflow/mcp_renderer_builtin.go
diff --git a/pkg/workflow/mcp_renderer_types.go b/pkg/workflow/mcp_renderer_types.go
diff --git a/pkg/workflow/mcp_scripts_renderer.go b/pkg/workflow/mcp_scripts_renderer.go
diff --git a/pkg/workflow/non_github_mcp_guard_policy_test.go b/pkg/workflow/non_github_mcp_guard_policy_test.go
