ai·toolhub

// exploration · mcp-approval · running

Can a human stay in the loop without slowing the agent to a crawl?

The build I've taken furthest: an MCP server on Cloudflare Workers that gates an agent's write and delete actions behind a human approval — signed with a passkey on a second device. It runs; this page is what I learned getting there.

The problem

AI agents increasingly act on real systems — send mail, delete records, change state. A policy rule can say "allowed" or "blocked", but it can't say "this exact action, right now, is fine". For irreversible actions, that's not enough.

The naive answer, and why it falls short

Auto-policy gateways approve by category. They never put a person in the loop for the specific payload. You get speed, but you lose the one thing that matters for risky actions: a deliberate human decision on the real content.

The approach — WYSIWYS

What You See Is What You Sign. The agent requests an action; the exact request appears on your phone or laptop; you approve it with a WebAuthn passkey. What the screen shows is what executes — nothing else. No approval, no action (fail-closed).

gws:gmail.send → signed · passkey ✓

Decisions & trade-offs

  • Single-user by design. Deliberately not multi-tenant — smaller attack surface and a clear retrofit point if it ever needs to scale.
  • Two authenticators, no recovery code. Register a passkey on two devices; there is no fallback secret to phish. Security over convenience, on purpose.
  • Service binding, not public surface. The knowledge core is reached worker-to-worker, never exposed to the public internet. Defense in depth.

Built with

Cloudflare Workers · D1 · R2 · MCP (Model Context Protocol) · WebAuthn / passkeys · OAuth 2.1 + PKCE · Terraform (IaC) · TypeScript

Internal audit details and secrets are deliberately not published here.

How you use it

Approvals appear in a small web UI on your second device: the exact tool call, in plain text, with approve / reject and a passkey prompt. What the screen shows is what executes — the human-in-the-loop surface for every tool on the hub.

Status & roadmap

Where it stands: running. Live on Cloudflare Workers — MCP server, passkey-signed approvals, fail-closed, and infrastructure as code.

Next: a live, read-only sandbox demo embedded on this page — same-origin, rate-limited, no login — so you can trigger the signing flow yourself.