MCP Broker (cross-cutting layer) — pointer
MCP Broker (cross-cutting layer) — pointer
Section titled “MCP Broker (cross-cutting layer) — pointer”What it does: This file is a pointer. The components that enforce at the MCP Broker live under
q03-interactions-we-govern/because they are organized around what gets governed (interactions), not which enforcement position enforces it.
Why a pointer file
Section titled “Why a pointer file”The 3 rings + 2 cross-cutting layers model in §9 of governed-agents.md is the canonical defense-in-depth taxonomy (ADR 0001). The MCP Broker is the second cross-cutting layer (peer to the LLM Gateway) — but it is a rich enough surface that it has its own components organized around interactions (outbound tool calls, inbound tool calls, resource ACLs, loop detection). Those components live in q03-interactions-we-govern/.
This pointer file exists so a subagent navigating this folder doesn't think the MCP Broker is missing. It isn't — it's just somewhere else.
What's at this enforcement position
Section titled “What's at this enforcement position”The MCP Broker is the TapPass MCP proxy (when the agent calls outbound tools through us) plus the TapPass MCP server (when external systems call into the agent's tools). Both go through the 32-step pipeline. Both record audit at the tool boundary.
| Concern | Component |
|---|---|
| Forwarding outbound MCP traffic from the agent to upstream tool servers | upstream-tool-proxy |
| Knowing which upstream MCP servers are approved per-org | approved-tool-server-list |
| Per-call resource access enforcement (schema X allowed, schema Y denied) | resource-access-checker |
| Killing the session when destructive ops loop | runaway-agent-stopper |
How the MCP Broker consumes the Compiled Policy
Section titled “How the MCP Broker consumes the Compiled Policy”The Compiled Policy is organized by aspect (network / filesystem / tools / interpreter / budget / compliance) per ADR 0003. The MCP Broker's mcp-broker provider consumes:
| Compiled Policy aspect | What the broker does with it |
|---|---|
tools.allow / tools.deny | Per-call schema ACL (allowed schemas = read/write/none) |
network.allow_domains | Restricts which upstream MCP servers can be reached |
compliance_tags | Tags every call's audit row with the regulations in scope |
budget.tool_calls_per_minute | Per-session rate limit |
identity.tier | Trust-tier-driven default scope (observer / worker / standard / full) |
# Broker runtime config — derived by the mcp-broker provider from the Compiled Policymcp_broker: proxy_url: wss://api.tappass.ai/mcp/<sandbox_id> session_token: tp_mcp_… # ES256 capability token, 5-min TTL pipeline_steps: [schema_acl, loop_guard] schemas_acl: { customers: [read, write], pii_archive: [] } rate_limit: { tool_calls_per_minute: 60 }The agent's MCP client (in agent-client-sdk) reads the URL and token from the Compiled Policy; the upstream-tool-proxy enforces the pipeline steps server-side using the capability scope.