# `MCPKit.Policy`
[🔗](https://github.com/mcostasilva/mcp_kit/blob/v0.2.4/lib/mcp_kit/policy.ex#L1)

Host-owned authorization boundary for MCP surfaces.

Policy is evaluated on every request. Router declarations define the superset
of available capabilities, while policy determines which items are visible or
invokable for the current session and request parameters.

# `decision`

```elixir
@type decision() :: :allow | {:deny, :not_found | :forbidden}
```

# `authorize`

```elixir
@callback authorize(action :: term(), context :: map()) :: decision()
```

Authorizes a request-time MCP action.

The action identifies the surface being accessed, such as a tool call, prompt
completion, or resource read. The context map includes the current session,
request parameters, normalized arguments, and host definition module.

---

*Consult [api-reference.md](api-reference.md) for complete listing*