Skip to content

MCP Track B Phase B0-B2: design inbound MCP architecture, auth, PRM, and governance #1017

Description

@Bionic711

Summary

Implement the inbound SimpleChat MCP foundation from #1013: architecture decision, dedicated auth guard, Protected Resource Metadata (PRM), governance, roles, client allowlists, and explicit tool policy.

Scope

  • Choose first production hosting model for inbound MCP.
  • Prefer a first-class SimpleChat component/service layer initially, with optional later sidecar/container deployment.
  • Keep MCP tool business logic behind reusable authorization-aware service functions.
  • Start with streamable HTTP.
  • Add a dedicated inbound MCP auth guard without broadening accesstoken_required.
  • Validate token issuer, tenant, expiration, and audience.
  • Require a dedicated inbound MCP role/scope or deliberately reused ExternalApi role.
  • Add approved caller app ID allowlist.
  • Separate app-only and delegated user access.
  • Reject app-only tokens for user-data tools unless a future admin-only operation is explicitly designed.
  • Add .well-known/oauth-protected-resource metadata.
  • Add governance settings for global enablement, per-client enablement, per-tool allowlists, per-scope allowlists, and optional rate limits.
  • Build an explicit inbound MCP tool registry with required identity type, workspace scope, feature flags, governance keys, rate-limit category, and audit event type.

Acceptance Criteria

  • Inbound MCP has a documented architecture choice and deployment boundary.
  • Auth failures are distinct from governance denials.
  • Token validation includes issuer, audience, expiration, tenant, role/scope, and caller app ID checks.
  • App-only tokens cannot access personal user data tools.
  • PRM metadata is available and does not expose secrets, internal endpoints, or raw settings.
  • Governance denies by default when client, tool, or scope is not configured.
  • Tests cover missing token, malformed token, expired token, invalid issuer, invalid audience, missing role/scope, disallowed app ID, app-only rejection for user data, delegated token acceptance, disabled global setting, disabled client, disabled tool, and disabled scope.

Notes

Parent: #1013
Prototype/reference PR: #722 should inform intent only; do not copy its implementation directly.
Planning doc: docs/explanation/features/MCP_PLUGIN_ROBUSTNESS_PLAN.md
Priority: P1
Size: XL

Metadata

Metadata

Assignees

Labels

enhancementNew feature or requestsecurity_improvementThis issue results in an improvement to security

Type

No type

Fields

No fields configured for issues without a type.

Projects

Status
Pending Evaluation

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions