Enforce intercepts MCP tool calls to apply security policies before execution. Unlike Detect (which discovers configurations), Enforce actively controls what shadow MCPs can do in real-time.Documentation Index
Fetch the complete documentation index at: https://docs.runlayer.com/llms.txt
Use this file to discover all available pages before exploring further.
How It Works
When Enforce is installed, it intercepts MCP tool calls before execution:- User invokes a tool — The AI assistant requests a tool call from a shadow MCP
- Intercept — The call is captured before reaching the MCP server
- Policy evaluation — The call is checked against your organization’s policies
- Decision — The call is either:
- Allowed — Proceeds to the MCP server normally
- Blocked — Prevented and logged for security review
- Audit logging — All intercepted calls are logged for visibility
What Gets Intercepted
Enforce intercepts tool calls from shadow MCP servers — those configured directly in the client rather than through Runlayer. This includes MCP servers embedded in native client plugins (e.g. Claude Code marketplace plugins). The hook resolves MCP endpoints from installed plugin manifests and enforces the same rules. Tool calls to Runlayer-managed MCPs (server, plugin, and skill proxy URLs) are recognized as managed and allowed through. All other remote MCP URLs are blocked unless they appear on the allowlist.Allowed remote MCP URLs (allowlist)
When Enforce hooks are installed, Enforce blocks remote (HTTP/S) MCP servers that do not point at your Runlayer instance. Workspace admins can add allowed remote MCP URLs under Settings → Shadow MCPs, in the Enforce section (Save allowlist). Each entry is a base URL. A tool call’s MCP URL is allowed when:- The scheme, host, and port match the entry (default ports
443/80for HTTPS / HTTP are treated the same as omitting the port). - If the entry has no path (or only
/), any path on that origin is allowed. - If the entry includes a path (for example
https://partner.example.com/mcp), the MCP URL’s path must match that prefix with a path boundary —/mcpand/mcp/streammatch;/mcpbackupdoes not.
Supported Clients
| Client | macOS | Windows |
|---|---|---|
| Cursor | ✓ | Coming soon |
| Claude Code | ✓ | Coming soon |
| Codex | ✓ | Coming soon |
Additional client support is in active development. Check the Runlayer dashboard for the latest supported clients.
Deployment
Installed Enforce hooks block shadow MCP tool calls by default. The Full session scanning controls under Settings → Workspace are separate and are not required for Shadow MCP enforcement.
TLS trust: The
runlayer CLI and MDM-deployed aiwatch binary verify HTTPS through the OS trust store — macOS Keychain (login + System), Windows certificate stores (Current User + Local Machine), and the Linux distro CA bundle (/etc/ssl/certs). Corporate root CAs pushed via MDM, GPO, or Intune are honored automatically with no extra config. If your corporate root is not installed system-wide and hooks fail with CERTIFICATE_VERIFY_FAILED, see Troubleshooting for --ca-bundle, RUNLAYER_CA_BUNDLE, SSL_CERT_FILE, and REQUESTS_CA_BUNDLE overrides.MDM Deployment
Deploy Enforce across your organization directly from the Runlayer dashboard. Navigate to Settings → Shadow MCPs to create or view an Enforce configuration, then follow the guide for your MDM platform:SimpleMDM
macOS deployment
Jamf Pro
macOS deployment
Mosyle
macOS deployment
Iru/Kandji
macOS deployment
Other MDM
Any MDM with script execution
Manual Installation
For testing or individual device setup, install Enforce directly using the Runlayer CLI. Step 1 — Install the Runlayer CLI:~/.local/bin (macOS/Linux) or %USERPROFILE%\.local\bin (Windows) is on PATH. Enforce hooks require runlayer to be available on PATH at runtime — using uv tool install (rather than uvx) ensures the binary is permanently available.
Step 2 — Verify the CLI is on PATH:
command not found, restart your terminal or run uv tool update-shell. See Troubleshooting for more details.
Step 3 — Log in to your Runlayer instance:
~/.runlayer/config.yaml.
Step 4 — Install Enforce:
| Flag | Description |
|---|---|
--install | Perform the installation |
--uninstall | Remove hooks |
--yes | Skip confirmation prompts |
--host | Validate this host exists in config before install |
--client | Install for a specific client (cursor, claude_code, or codex; default: all) |
--all-events | Register all hook events including pipeline (default: enforcement only) |
--no-enforcement | Monitoring only — register hooks but skip blocking enforcement |
--mdm | Install to enterprise location (requires elevated permissions) |
MDM-generated scripts run
setup hooks --install --mdm --yes (with an optional --client flag). The --mdm flag writes hooks to the enterprise location (e.g., /Library/Application Support/Cursor/) and skips the user config check since the script runs as root.--no-enforcement when you want visibility into shadow MCP tool calls without blocking any requests. All calls are still logged and sent through the data pipeline, but no policy enforcement is applied. This is useful for a rollout phase where you want to observe before enforcing.
Uninstall:
Troubleshooting
Not intercepting calls
Not intercepting calls
- Restart the client application after installation
- Check that the client is supported (see table above)
- Ensure Enforce is installed for the correct client
Installation fails
Installation fails
- Ensure
uvis installed:curl -LsSf https://astral.sh/uv/install.sh | sh - Check network connectivity to your Runlayer instance
- Verify the host URL is correct
- Try running with verbose output for more details
Performance issues
Performance issues
- Check your Runlayer instance connectivity
- Review the number of policies being evaluated
- Contact Runlayer support if issues persist
Related Resources
Shadow MCP Overview
Understanding the shadow MCP problem
Detect
Discover shadow servers via scheduled scans
Policies
Configure access control policies
Audit Logs
View intercepted tool calls