Skip to main content

MCP V1 Policy

Scope

The MCP server provides both read-only and read-write tool groups for AI agents in V1. Read-write tools are default-off and must be explicitly enabled per tool group by an operator. This ensures safe, auditable access while preserving full operational capability when authorized.

Default Surface (Read-Only)

By default, the MCP server exposes read-only operational truth:

  • Query delivery status and history
  • Read evidence proofs and integrity receipts
  • Inspect webhook source metadata
  • List configured destinations
  • Retrieve platform health information
  • Fetch tenant-scoped logs

Write Tools (V1, Default-Off)

Write tools are included in V1 but are disabled by default. An operator must explicitly enable each write tool group before it becomes available:

OperationV1 StatusDefault
Event submissionV1 (RW)Off
Source CRUDV1 (RW)Off
Destination CRUDV1 (RW)Off
Replay triggerV1 (RW)Off
Evidence creationPlatform-internalOff

Rationale

The V1 MCP interface prioritizes safe, auditable access for AI agents. Read-only tools are available by default. Write tools require explicit operator enablement per tool group, ensuring that mutating operations are authorized, idempotent, and audited before use.

Enforcement

Tool-group gating is enforced at the MCP proxy layer in zen-back. Write tools that are not enabled return a clear denial response indicating the tool group must be explicitly activated (see MCP Examples for denied and enabled write scenarios).