MCP Gateway & Registry — Team Tool Control

Practical Notes

• Per README: semantic search endpoint POST /api/search/semantic returns relevance-scored matches across servers, tools, and agents.
• Per README: supports telemetry with opt-out via MCP_TELEMETRY_DISABLED=1 (privacy-first, no PII per doc).
• Use it as a policy point: enforce auth, rate limits, and security scans before agents can use a server.

Main

A pragmatic governance model:

1. Inventory everything. Register MCP servers with owners, environments, and trust levels.
2. Make “approved” explicit. Don’t let agents discover arbitrary remote servers; gate by policy.
3. Scan + monitor. Run scheduled scans and health checks; disable servers that regress.
4. Keep audit trails. When an incident happens, you need to know which agent used which tool, when, and with what auth.

If you already run Keycloak/SSO, align identities so human and machine auth are consistent across the registry and your internal services.

FAQ

Q: Do I need Kubernetes? A: No—README includes quick start with prebuilt images (Docker/Podman). Kubernetes is optional for production scaling.

Q: What should I store as metadata? A: Owner, environment, data sensitivity, allowed tools, and any compliance flags (HIPAA/PCI) you care about.

Q: How do I prevent tool sprawl? A: Centralize discovery in the registry, require ownership, and periodically prune unused or risky servers.