MCP Boundary by Impact Boundary Labs
Documentation navigation

MCP Tool Rules

Local Email Demo MCP Tool Rules

This playbook shows rule examples for the built-in local email demo.

The local email demo is for first-run learning. It is not Gmail, Outlook, or a real provider integration. It lets you see search, read, draft, and send-like rule decisions without touching a real mailbox.

For the general rule patterns, start with MCP Tool Rule Library.

Safe Starting Point

Use the demo to learn the basic rule model:

email.search_threads      visible + allow
email.get_thread          visible + allow
email.create_draft        visible + allow
email.send_email          visible + block

The send-like tool is blocked so users can see a downstream call stopped before execution.

Tool Surface Overview

The local email demo has four tools:

email.search_threads
email.get_thread
email.create_draft
email.send_email

This surface is intentionally small so new users can understand visibility, allow, block, result limits, and Activity without provider setup.

Read Rules

Good first tools:

  • email.search_threads
  • email.get_thread

Add result limits if you are demonstrating how a broad search result can be bounded.

Draft Rule

The useful write-like demo action is:

  • email.create_draft

Draft creation is a write-like action, but it is still local to the demo. It is good for teaching "prepare but do not send."

High-Risk Send-Like Action

The send-like action is:

  • email.send_email

In the demo, this does not prove real email delivery behavior. Keep it blocked in the first rule config so users see that MCP Boundary can stop a send-like tool before downstream execution.

Good Bindings

Useful bindings to teach:

  • thread id
  • message id
  • draft id
  • exact recipient if a send-like test is ever added

These are scope bindings. The local email demo does not expose a hard version/history field, and its examples intentionally do not use state_binding. Use the database playbook when you want a copyable version/hash stale-state walkthrough.

Weak Bindings To Avoid

Avoid relying on:

  • subject line only
  • "latest thread"
  • recipient display name
  • agent memory of the previous email

Even in a demo, use stable IDs when explaining writes.

Example Rule Configs

First-Run Demo Rule Config

Use this for the default learning path.

The agent can search, read, and create a local demo draft. The agent can see the send-like tool, but MCP Boundary blocks it before downstream execution. This does not prove real Gmail or Outlook behavior.

json
{
"version": "mcp-adapter-host-policy/v1",
"servers": [
{
"server_id": "email-demo",
"tools": [
{
"downstream_tool_name": "email.search_threads",
"exposure": "visible",
"handling_mode": "generic_guarded",
"policy_input_mode": "allow",
"result_limits": {
"max_result_bytes": 32768
}
},
{
"downstream_tool_name": "email.get_thread",
"exposure": "visible",
"handling_mode": "generic_guarded",
"policy_input_mode": "allow",
"result_limits": {
"max_result_bytes": 32768
}
},
{
"downstream_tool_name": "email.create_draft",
"exposure": "visible",
"handling_mode": "generic_guarded",
"policy_input_mode": "allow"
},
{
"downstream_tool_name": "email.send_email",
"exposure": "visible",
"handling_mode": "generic_guarded",
"policy_input_mode": "block"
}
]
}
]
}

What this teaches:

search threads      visible and allowed
read a thread       visible and allowed
create a draft      visible and allowed
send email          visible but blocked

If you want the agent not to see the send-like tool at all, change send to:

json
{
"downstream_tool_name": "email.send_email",
"exposure": "hidden",
"handling_mode": "generic_guarded",
"policy_input_mode": "block"
}

Demo Walkthrough

Good first-run walkthrough:

  • Run quickstart email.
  • Open the dashboard.
  • Show the four demo tools.
  • Search threads and read one thread.
  • Create a draft.
  • Try the send-like tool and show it is blocked.
  • Open Activity and compare allowed draft with blocked send.

This demonstrates the core rule model without making any real provider claim.