I have been using Linux since 2012. When I started seeing agents deleting production databases and pushing to main, I was like, why don't we have chmod on this? We are supposed to be able to get a proper permission system for every action an agent makes.
Every file on a Unix system has rwx permissions. Every process has a user. We have that for decades. Agents in 2026 are running with the same access level as the developer who run them.
Wombat applies the Unix model to MCP tool calls. You declare rwxd permissions on resources in a manifest. The same push_files tool is allowed on feature branches and denied on main. It is a proxy that sits between Claude Code and your MCP servers. It checks permissions.json on every call, and either forwards or denies.
Zero ML, fully deterministic, audit log included, Plugin system for community MCP servers
GitHub: https://github.com/usewombat/gateway npm: npx @usewombat/gateway --help