Tenant isolation
Every tool call runs with your workspace tenant_id from the verified token. Cross-tenant IDs read as not_found.
MCP governance
This is what the server checks before a tool runs. Same rules for Claude, Cursor, and any other MCP client.
Mirrors Tenant → AI Agents controls
Every tool call runs with your workspace tenant_id from the verified token. Cross-tenant IDs read as not_found.
Project-scoped tools reuse the same permission templates as the REST API. If you cannot edit a task in the UI, the agent cannot either.
OAuth scope mcp:read is enough for native read tools. Writes are off until an owner enables mcp_write_enabled and you grant mcp:write.
Archive, bulk status, delete comment, and similar tools return a preview token first. apply_pending_action executes after confirmation.
Each MCP client gets an explicit consent row. Tool calls are metered and auditable from Tenant → AI Agents.
mcpAccess is an entitlement on supported plans. Caps (monthly tool calls, write rate) come from your subscription, not hardcoded in the UI.
Agents should surface these codes to users. Wording matches the API and in-app agent.
not_foundResource ID is outside your tenant or you lack project access.
forbiddenMissing project permission, OAuth scope, or tenant role.
policy_violation:mcp_write_disabledWrite tool called while tenant policy keeps MCP read-only.
limit_reached:*Monthly tool cap or write rate limit from your plan entitlements.
conflictDuplicate task dependency or similar domain conflict.