Summary
Implement the inbound SimpleChat MCP foundation from #1013 : architecture decision, dedicated auth guard, Protected Resource Metadata (PRM), governance, roles, client allowlists, and explicit tool policy.
Scope
Choose first production hosting model for inbound MCP.
Prefer a first-class SimpleChat component/service layer initially, with optional later sidecar/container deployment.
Keep MCP tool business logic behind reusable authorization-aware service functions.
Start with streamable HTTP.
Add a dedicated inbound MCP auth guard without broadening accesstoken_required.
Validate token issuer, tenant, expiration, and audience.
Require a dedicated inbound MCP role/scope or deliberately reused ExternalApi role.
Add approved caller app ID allowlist.
Separate app-only and delegated user access.
Reject app-only tokens for user-data tools unless a future admin-only operation is explicitly designed.
Add .well-known/oauth-protected-resource metadata.
Add governance settings for global enablement, per-client enablement, per-tool allowlists, per-scope allowlists, and optional rate limits.
Build an explicit inbound MCP tool registry with required identity type, workspace scope, feature flags, governance keys, rate-limit category, and audit event type.
Acceptance Criteria
Inbound MCP has a documented architecture choice and deployment boundary.
Auth failures are distinct from governance denials.
Token validation includes issuer, audience, expiration, tenant, role/scope, and caller app ID checks.
App-only tokens cannot access personal user data tools.
PRM metadata is available and does not expose secrets, internal endpoints, or raw settings.
Governance denies by default when client, tool, or scope is not configured.
Tests cover missing token, malformed token, expired token, invalid issuer, invalid audience, missing role/scope, disallowed app ID, app-only rejection for user data, delegated token acceptance, disabled global setting, disabled client, disabled tool, and disabled scope.
Notes
Parent: #1013
Prototype/reference PR: #722 should inform intent only; do not copy its implementation directly.
Planning doc: docs/explanation/features/MCP_PLUGIN_ROBUSTNESS_PLAN.md
Priority: P1
Size: XL
Summary
Implement the inbound SimpleChat MCP foundation from #1013: architecture decision, dedicated auth guard, Protected Resource Metadata (PRM), governance, roles, client allowlists, and explicit tool policy.
Scope
accesstoken_required.ExternalApirole..well-known/oauth-protected-resourcemetadata.Acceptance Criteria
Notes
Parent: #1013
Prototype/reference PR: #722 should inform intent only; do not copy its implementation directly.
Planning doc:
docs/explanation/features/MCP_PLUGIN_ROBUSTNESS_PLAN.mdPriority: P1
Size: XL