Approved tool-server list
Approved tool-server list
Section titled “Approved tool-server list”What it does: Per-org allowlist of which upstream MCP servers TapPass will forward to (vendor SaaS, internal MCP, custom).
1. Vision context
Section titled “1. Vision context”When an agent calls gmail.send, TapPass needs to know which MCP server to forward to. For curated catalog tools (gmail.send, slack.send_message, stripe.refund), there's a well-known mapping. For internal MCP servers a customer runs (acme-internal-mcp.acme.local), the operator must register them — there's no way TapPass can guess.
This component is the registry. Per-org, vault-backed for credentials, queried by the upstream-tool-proxy at every forward.
It also gives operators their first answer to "what tools do my agents have access to?" — the union of well-known catalog tools + their own registered MCP servers + the runtime-discovered tools approved through the review queue.
2. Functional specification
Section titled “2. Functional specification”Operations:
- Register:
tappass mcp register --name <id> --url <url> --auth bearer:vault://<key>— pulls the server's tool catalog at registration; stores the entry; emitsmcp_server_registeredaudit. - List:
tappass mcp list [--org <id>]— visible to operators with mcp:read permission. - Inspect:
tappass mcp show <id>— shows registered tools, last-seen, auth health. - Update / revoke:
tappass mcp update <id>,tappass mcp revoke <id>.
Schema:
mcp_server: id: acme-internal org_id: org_xxx url: https://mcp.acme.local auth_vault_ref: vault://acme-mcp-bearer trust_tier: registered_auto_approve # or "registered_review_required" advertised_tools: [...] # auto-pulled at registration last_seen_at: 2026-05-07T...3. Technical design
Section titled “3. Technical design”Lives at tappass/policy/mcp_registry/. Two tables: mcp_servers (per-org), mcp_server_audit (registration / revocation events).
4. Definition of done
Section titled “4. Definition of done”- All acceptance_criteria pass.
- Cross-org isolation tested.
- Vault integration: credentials never read into application memory beyond the upstream connection.
5. Coordination notes
Section titled “5. Coordination notes”With upstream-tool-proxy: the proxy queries this on every forward. Cache aggressively (per-org, invalidated on update).
With runtime-tool-discovery: discovered tools advertised by registered upstream servers can auto-approve (the registration is the trust anchor). Tools discovered without an upstream context default-deny.
6. Out of scope
Section titled “6. Out of scope”- Authentication mechanism details (bearer / OAuth / mTLS) — extensible adapter pattern; v1 ships bearer.
- Tool catalog browsing UI — separate concept.