Sample MCP Gateway Readiness Audit

Where the authorization decision lives, whether the model ever participates in it, and how granular the grants are.

Authorization is enforced at the gateway on caller identity, resolved as a strict intersection of key → team → end-user → agent → org permissions, with org as a ceiling. A full-tree search found no in-prompt tool gating — no "only call this if the user is an admin" logic in any system prompt. Deny-by-default holds for unmapped callers. Per-tool granularity exists, but it is opt-in per server: with no allowlist configured, the tool-permission check returns "allow."

The hard part — keeping the model out of the authorization decision — is done correctly. The residual risk is operator misconfiguration: a write or external tool on a server with no tool allowlist is callable by anyone with server access.

Every exception handler on the authorization and call path — does a degraded check deny or allow?

Every per-level permission resolver fails closed: on an unexpected exception it logs and returns an empty set, resolving to "no access" downstream. One exception: the top-level policy resolver returns the set of allow-all servers (not an empty set) on an unexpected error — a partial fail-open, bounded to servers an operator already marked public. Every upstream call carries an explicit timeout; a per-tool parameter allowlist rejects unexpected arguments; and concurrency/rate limits shed load with HTTP 429.

Fail-open in an authorization resolver is the single highest-risk class in the framework — it's how a degraded check silently becomes "allow." Here it is bounded, but it is still the one line that errs toward exposure. It is also a one-line fix.

How servers and tools are registered, whether the running tool set is reconstructable from source control, and whether onboarding enforces governance.

A declarative config block exists, but MCP servers can also be created at runtime via an authenticated REST endpoint that writes to a database — a dual, mutable source of truth where running state can drift from source control. The curated third-party catalog references stdio servers via unpinned floating-tag commands (e.g. npx -y @vendor/mcp-server) with no version, digest, or checksum. CI is otherwise strong (schema-sync, CodeQL, supply-chain scorecard, unit tests) but has no required-field gate on a tool-registration PR.

You cannot fully reconstruct the live tool set from source control when servers can be added via the API, and an unpinned third-party server is a tampered-package away from a supply-chain incident (OWASP LLM05). Onboarding is the natural enforcement point for the controls that are bolt-on today.

Guardrails, alerting, the ability to stop a misbehaving tool, and staged-rollout discipline.

A dedicated MCP security guardrail defaults to block (not alert), alongside a catalog of injection/jailbreak guardrails and MCP-specific permission guardrails. Slack/email/Prometheus alerting (including hanging-request detection) ships. Tools and servers can be disabled via config without a binary redeploy. Helm chart, hardened compose, and Terraform ship for staged deploy.

The operational levers exist, so an incident is recoverable — but with friction. There is no single tested global kill-switch surfaced in code, no enforced canary/blue-green, and the red-team guardrails are available but operator-wired, not a standing CI gate.