Choose one MCP-exposed action that can create spend or external consequence
The strongest first lane is one tool request that already matters to ops, finance or vendor posture.
NORNR
Give local agents one control layer before MCP tool use turns into spend, vendor action or policy drift.
NORNR / MCP control server
Productized packagePut one MCP-capable local agent behind review before a tool request becomes consequential.
This package turns NORNR into the control layer above Claude Desktop, Cursor or any MCP-capable local agent. One tool request enters as intent, clears policy, routes into review if needed, and still ends in one defended record later.
The package is not another MCP tool. It is the control surface that makes consequential MCP tool use reviewable, attributable and finance-readable.
Package shape
One local tools lane, one review path, one defended record.
That is how MCP becomes buyer-safe instead of just technically interesting.
Approve, queue or block before the MCP client clears the request
NORNR sits above the tool call. The agent stays useful, but the consequential action is no longer raw autonomous execution.
One owner handles queued requests with the same context attached
Counterparty, purpose, amount and reason arrive in one review surface instead of a reconstruction after the fact.
The local request still ends in one finance-safe trail later
If the MCP package cannot survive into close and audit, it is still only a technical demo.
mcp-local-tools-guarded should feel like the obvious starting posture
Start local MCP clients in shadow or review-first mode with a pack tuned for desktop agents, paid tools and vendor-sensitive actions.
What is already built
The MCP package is real because the control tools, review bundle and config surfaces already exist.
This is not hypothetical MCP support. NORNR already exposes the control model local agents need.
nornr.check_spend and nornr.request_spend make local tool use policy-aware
Local agents can ask NORNR before they trigger paid providers, vendor-side calls or tool actions with real consequence.
nornr.approve_spend, nornr.reject_spend and nornr.pending_approvals keep MCP requests in one review path
The same local requests can queue for review without forcing operators into side threads or custom rescue logic.
nornr.review_bundle, nornr.finance_packet, nornr.weekly_review and nornr.intent_timeline carry the path outward
MCP-originated actions already feed the same bundle, finance packet and timeline surfaces as the rest of NORNR.
nornr mcp serve, manifest and config helpers make setup copy-pasteable
The package gets stronger because Claude Desktop, Cursor and generic MCP clients can be onboarded from the SDK directly.
What it proves
NORNR can sit above local tool execution without weakening the control model.
That is what makes MCP strategically strong for NORNR: broader reach, same decision and proof posture.
A local agent proposes a tool request
The request already carries purpose, counterparty and budget context before it hits a provider or vendor.
NORNR evaluates the active mandate
The control server decides whether this request may proceed under the current owner posture.
Low-risk requests stay fast
Approved MCP requests continue without inventing new operator drag.
Queued requests enter review
Higher-risk tool use lands in one review path with the reason already attached.
The resulting action stays attributable
The same trail keeps decision, reviewer and evidence tied to the MCP-originated action.
Finance and audit still get one export path later
The package is complete only when local-tool requests survive outside the control room too.
Why NORNR over a raw MCP tool
Raw MCP tools expose capability. NORNR adds decision, review and defended export.
That is the difference between a useful local tool and a buyer-safe local tool lane.
The client can call a tool, but the burden of permission and review stays elsewhere
You still need to decide what is allowed, who reviews higher-risk actions and how finance reconstructs what happened later.
The tool request becomes an intent with policy, queueing and one exported trail
The control plane answers whether the action should happen, who must review it and what packet survives outside the desktop client afterward.
Claude Desktop, Cursor and Agent Zero stop being governance blind spots
Local-agent use can finally read like the same institutional control path as hosted runtime spend, not a shadow workflow.
Install paths
Front Claude Desktop, Cursor and custom MCP clients with the same package.
The config should be copy-pasteable enough that NORNR feels ambient inside the local tools teams already use.
Use the config generator and guided setup
Get the desktop-ready snippet, install the server once and start with one consequential tool lane.
Give coding agents the same control model
Use the Cursor guide when tool use or vendor calls inside the IDE need queueing and finance-safe proof too.
Front autonomous local agents with one review layer
Use the Agent Zero guide when the local agent already has rich tool access and needs one buyer-safe control layer before consequential actions clear.
Copy a ready-to-paste config and command path
Generate the server stanza, env block and rollout notes without guessing the client shape.
What survives after MCP review
Local tool control is only real if the packet model still survives afterward.
That is what separates NORNR from a raw MCP tool wrapper.
MCP requests should queue into the same case file as every other lane
The local client should not invent a different review story. Purpose, threshold, counterparty and owner should still resolve from one standard bundle.
Local-originated actions should still export cleanly when they trigger downstream spend
If a local tool action ultimately creates a charge, statement or vendor-side effect, finance should still receive the same close-ready packet later.
Use the generator when you need the shortest install path
The package becomes default when config, pack and packet links are all obvious on day one.