Validates code bindings against the actual filesystem — checks which file_pattern globs still match real files. Omit item_type and item_id to verify ALL bindings workspace-wide. Updates last_verified timestamps. Use periodically or after major refactors. For finding bindings that are already know...
AI agents call verify_bindings to retrieve information from Engrams without modifying anything — typically the context-gathering step in research, monitoring, and reporting workflows, before the agent takes action elsewhere.
This tool reads filesystem state and queries binding metadata without creating, modifying, or deleting data. The timestamp update is metadata-only and incidental to the read operation. While it does scan the filesystem (minor resource concern), it performs no side effects on files or bindings themselves.
From the tool's definition Tool performs validation and checks against filesystem to verify file_pattern globs match real files. Returns verification results including verified_count, valid, broken lists. Updates last_verified timestamps but does not modify, delete, or execute code.
Documented attack patterns abuse exactly the kind of access verify_bindings gives an agent:
PolicyLayer is an MCP gateway — it sits between your AI agents and Engrams, and nothing reaches the server without passing your rules. This is the rule we recommend for verify_bindings:
{
"version": "1",
"default": "deny",
"tools": {
"verify_bindings": {}
}
}verify_bindings is read-only, so it stays allowed — but everything else on the server is denied unless you say otherwise.
Free to start. No card required.
Validates code bindings against the actual filesystem — checks which file_pattern globs still match real files. Omit item_type and item_id to verify ALL bindings workspace-wide. Updates last_verified timestamps. Use periodically or after major refactors. For finding bindings that are already known to be stale, use get_stale_bindings instead (cheaper, no filesystem scan). Returns: {verified_count, valid: [...], broken: [...], ...}. Workflow (code binding): Step 2 of 3 — bind_code_to_item → verify_bindings (this tool, confirm the glob matches real files) → get_context_for_files or get_bindings_for_item. Common mistake: calling verify_bindings before any bindings exist — it returns verified_count=0 with empty valid/broken arrays, not an error. Use get_bindings_for_item first to confirm bindings exist. Broken bindings (files deleted or moved) should be updated via bind_code_to_item with the corrected file_pattern. It is categorised as a Read tool in the Engrams MCP Server, which means it retrieves data without modifying state.
Register the Engrams MCP server in PolicyLayer and add a rule for verify_bindings: allow, deny, rate-limit, or require approval. Point your MCP client at the PolicyLayer proxy URL and the rule is enforced on every call, before it reaches Engrams. Nothing to install.
verify_bindings is a Read tool with low risk. Read-only tools are generally safe to allow by default.
Yes. Add a rate_limit block to the verify_bindings rule in your PolicyLayer policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.
Set action: deny in the PolicyLayer policy for verify_bindings. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.
verify_bindings is provided by the Engrams MCP server (stevebrownlee/engrams). PolicyLayer sits as a proxy in front of this server to enforce policies before tool calls reach the server.
Start from Engrams, add the rest of your stack, and see everything your agents can call. Then put policy on all of it.
Free to start. No card required.
42 Engrams tools catalogued and risk-classified — across an index of 43,000+ MCP servers.