Every tool call goes through policy_check(action, context, scopes, rate_limiter).
- Scope membership check (URL inside verified scope?).
- Destructive denylist (DELETE/DROP/TRUNCATE, /admin/users/*/delete, /password/*).
- Per-target rate limit (token bucket, default 5 req/s).
- Optional LLM pre-flight for free-form payloads.