MCP governance

Spec sheet for agent access.

This is what the server checks before a tool runs. Same rules for Claude, Cursor, and any other MCP client.

Mirrors Tenant → AI Agents controls

Enforcement layers

Tenant isolation

Every tool call runs with your workspace tenant_id from the verified token. Cross-tenant IDs read as not_found.

Project permissions

Project-scoped tools reuse the same permission templates as the REST API. If you cannot edit a task in the UI, the agent cannot either.

Read by default

OAuth scope mcp:read is enough for native read tools. Writes are off until an owner enables mcp_write_enabled and you grant mcp:write.

Destructive preview

Archive, bulk status, delete comment, and similar tools return a preview token first. apply_pending_action executes after confirmation.

Consent & audit

Each MCP client gets an explicit consent row. Tool calls are metered and auditable from Tenant → AI Agents.

Plan gated

mcpAccess is an entitlement on supported plans. Caps (monthly tool calls, write rate) come from your subscription, not hardcoded in the UI.

Error contract

Agents should surface these codes to users. Wording matches the API and in-app agent.

not_found

Resource ID is outside your tenant or you lack project access.

forbidden

Missing project permission, OAuth scope, or tenant role.

policy_violation:mcp_write_disabled

Write tool called while tenant policy keeps MCP read-only.

limit_reached:*

Monthly tool cap or write rate limit from your plan entitlements.

conflict

Duplicate task dependency or similar domain conflict.

Not included

  • No public anonymous MCP endpoint: you need a workspace membership.
  • Writes are not enabled by default: tenant admins must opt in.
  • Headless service accounts ship in Phase 2 docs; check your plan and changelog for availability.